CVE-2026-33937: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in handlebars-lang handlebars.js
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.
AI Analysis
Technical Summary
Handlebars.js versions 4.0.0 to 4.7.8 have a type confusion vulnerability (CWE-843) in the compile() function, which accepts either a template string or a pre-parsed AST object. The vulnerability occurs because the value field of a NumberLiteral AST node is emitted directly into the generated JavaScript code without quoting or sanitization, enabling arbitrary JavaScript injection. This can lead to remote code execution on the server if an attacker can supply a crafted AST object. The issue is fixed in version 4.7.9. Mitigations include validating that the input to compile() is always a string and using the runtime-only build on the server when templates are pre-compiled.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code on the server, leading to full remote code execution. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
An official fix is available in Handlebars.js version 4.7.9. Users should upgrade to this version to fully remediate the vulnerability. Until upgrading, mitigate by validating that the argument to Handlebars.compile() is always a string and never a plain object or JSON-deserialized value. Alternatively, use the Handlebars runtime-only build on the server if templates are pre-compiled at build time, as this disables the compile() function and prevents exploitation.
CVE-2026-33937: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in handlebars-lang handlebars.js
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Handlebars.js versions 4.0.0 to 4.7.8 have a type confusion vulnerability (CWE-843) in the compile() function, which accepts either a template string or a pre-parsed AST object. The vulnerability occurs because the value field of a NumberLiteral AST node is emitted directly into the generated JavaScript code without quoting or sanitization, enabling arbitrary JavaScript injection. This can lead to remote code execution on the server if an attacker can supply a crafted AST object. The issue is fixed in version 4.7.9. Mitigations include validating that the input to compile() is always a string and using the runtime-only build on the server when templates are pre-compiled.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code on the server, leading to full remote code execution. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
An official fix is available in Handlebars.js version 4.7.9. Users should upgrade to this version to fully remediate the vulnerability. Until upgrading, mitigate by validating that the argument to Handlebars.compile() is always a string and never a plain object or JSON-deserialized value. Alternatively, use the Handlebars runtime-only build on the server if templates are pre-compiled at build time, as this disables the compile() function and prevents exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T19:50:52.103Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6f3473c064ed76ff618a1
Added to database: 3/27/2026, 9:14:47 PM
Last enriched: 4/4/2026, 10:49:14 AM
Last updated: 5/11/2026, 6:38:10 AM
Views: 240
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.