PT-2026-43459 · Git+2 · Liquidjs
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
LiquidJS versions prior to 10.26.0
Description
LiquidJS is a template engine written in JavaScript. A flaw exists where the
renderLimit option, designed to mitigate Denial of Service (DoS) by limiting the time consumed by each render() call, can be completely bypassed. This occurs when a {% for %} or {% tablerow %} tag is used with an empty body. Because the per-iteration time check is only triggered when the body contains at least one template node, a template with an empty loop iterates the full collection without consulting the renderLimit.This allows a low-privileged template author to monopolize a Node.js event-loop thread for a duration controlled by the attacker, which scales linearly with the number of iterations up to the
memoryLimit. In multi-tenant environments, this can stall in-flight requests and impact system availability.Recommendations
Update to version 10.26.0.
As a temporary workaround, restrict the ability of low-privileged users to author templates containing empty
{% for %} or {% tablerow %} tags.Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liquidjs