Handlebars Improper Check for Unusual or Exceptional Conditions Vulnerability - CVE-2026-33939

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8 when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. n) the compiled template calls lookupProperty(decorators quotnquot) which returns undefined. The runtime then immediately invokes the result as a function causing an unhandled TypeError: ... is not a function that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a try/catch is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in try/catch. Validate template input before passing it to compile() reject templates containing decorator syntax (...) if decorators are not used in your application. Use the pre-compilation workflow compile templates at build time and serve only pre-compiled templates do not call compile() at request time.