CVE-2026-41311

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.25.7

Description A circular block reference within {% layout %} and {% block %} tags can trigger an infinite recursive loop. This occurs in the getBlockRender() function within src/tags/block.ts during OUTPUT mode; when a block is nested inside another block of the same name in a child template, the system repeatedly calls the render function without a termination condition. This process consumes all available memory (approximately 4GB), leading to a Node.js process crash with a JavaScript heap out of memory error. Consequently, any user capable of submitting a Liquid template can execute a Denial of Service attack, causing complete service disruption.

Recommendations Update to version 10.25.7.