Handlebars.js is a popular templating engine that allows users to build semantic templates. Versions 4.0.0 through 4.7.8 contain a critical vulnerability (CVE-2026-33937) due to improper handling of pre-parsed Abstract Syntax Tree (AST) objects passed to the Handlebars.compile() function. Specifically, the 'value' field of a NumberLiteral AST node is directly emitted into the generated JavaScript code without any quoting or sanitization. This type confusion vulnerability (CWE-843) enables an attacker who can supply a crafted AST object to inject arbitrary JavaScript code. Since the injected code is executed on the server during template compilation, this leads to remote code execution (RCE). The vulnerability does not require authentication or user interaction and can be exploited remotely if the attacker can influence the input to compile(). The flaw is fixed in version 4.7.9. Workarounds include validating that the input to compile() is always a string and never a deserialized object, or using the runtime-only build of Handlebars on the server, which disables compile() and requires templates to be pre-compiled at build time. The CVSS v3.1 score is 9.8, reflecting critical severity with network attack vector, low attack complexity, no privileges required, and full impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code on the server hosting the vulnerable Handlebars.js instance. This can lead to complete server compromise, including data theft, manipulation, destruction, or pivoting to other internal systems. The vulnerability affects any organization using vulnerable versions of Handlebars.js for server-side template compilation, especially web applications that accept or process user-supplied templates or ASTs. The impact is critical as it compromises confidentiality, integrity, and availability of affected systems. Given the widespread use of Handlebars.js in web development, organizations across industries such as technology, finance, healthcare, and government are at risk. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat level. Although no known exploits are reported in the wild yet, the potential damage and ease of exploitation make this a high-priority vulnerability to address.

1. Upgrade all instances of Handlebars.js to version 4.7.9 or later, where this vulnerability is fixed. 2. Validate inputs rigorously before passing them to Handlebars.compile(), ensuring that only template strings are accepted and that no deserialized AST objects or plain objects are allowed. 3. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server side if templates can be pre-compiled during the build process, thereby eliminating the need to call compile() at runtime. 4. Implement strict input validation and sanitization on any user-supplied data that could influence template compilation. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with rules targeting suspicious template compilation behavior or unexpected JavaScript injection patterns. 6. Monitor server logs for unusual template compilation requests or errors indicative of exploitation attempts. 7. Conduct code audits and penetration testing focusing on template handling to identify and remediate similar injection risks. 8. Educate developers about the risks of passing untrusted data to template compilation functions and enforce secure coding practices.