Handlebars patches critical AST injection leading to server RCE

2 min readPublished 27 Mar 2026Updated 27 Mar 2026Source: CVEProject (cvelistV5)

CVE-2026-33937 News JavaScript Web Security

TL;DR — Handlebars can be driven into server-side RCE if untrusted input can reach Handlebars.compile() as a pre-parsed AST, allowing JavaScript injection in generated code.

What happened

Handlebars.js is a widely used JavaScript templating engine for building and rendering semantic templates (often on the server in Node.js).

CVE-2026-33937 reports a critical JavaScript/code injection issue where Handlebars.compile() accepts a template string or a pre-parsed AST object. In affected versions, the value field of a NumberLiteral AST node is emitted directly into generated JavaScript without quoting or sanitization, allowing an attacker who can supply a crafted AST to inject arbitrary JavaScript and reach remote code execution on the server.

This is a high-impact pattern: “template compilation as a service” and dynamic template rendering are common in internal tooling and multi-tenant platforms, and accepting non-string compile inputs can quietly widen the attack surface into a straight RCE primitive.

Who is impacted

Projects that depend on handlebars and call Handlebars.compile() on attacker-influenced input where that input can be (or be coerced into) an AST object rather than a string.
handlebars.js versions in the affected range described in the CVE record.

Component	Affected versions (per CVE record)	Fixed version (per CVE record)
`handlebars` / `handlebars.js`	`>= 4.0.0, < 4.7.9`	`4.7.9`

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE record states the issue is fixed in 4.7.9).
Add hard guards anywhere Handlebars.compile() is called with non-constant input:

"Validate input type before calling Handlebars.compile(); ensure the argument is always a string, never a plain object or JSON-deserialized value."
If you precompile templates at build time, reduce runtime exposure:

"Use the Handlebars runtime-only build (handlebars/runtime) on the server if templates are pre-compiled at build time; compile() will be unavailable."
Inventory and review services that expose templating/rendering to users (email template services, CMS features, PDF/report generation, “render preview” endpoints). Treat any path that accepts structured template inputs (JSON, AST-like objects) as the highest-risk surface and prioritize patching/containment there first.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.