PT-2026-43459 · Git+2 · Liquidjs

·

CVE-2026-44645

·

Published

2026-05-27

·

Updated

2026-06-18

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0
Description LiquidJS is a template engine written in JavaScript. A flaw exists where the renderLimit option, designed to mitigate Denial of Service (DoS) by limiting the time consumed by each render() call, can be completely bypassed. This occurs when a {% for %} or {% tablerow %} tag is used with an empty body. Because the per-iteration time check is only triggered when the body contains at least one template node, a template with an empty loop iterates the full collection without consulting the renderLimit.
This allows a low-privileged template author to monopolize a Node.js event-loop thread for a duration controlled by the attacker, which scales linearly with the number of iterations up to the memoryLimit. In multi-tenant environments, this can stall in-flight requests and impact system availability.
Recommendations Update to version 10.26.0. As a temporary workaround, restrict the ability of low-privileged users to author templates containing empty {% for %} or {% tablerow %} tags.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44645
GHSA-8XX9-69P8-7JP3

Affected Products

Liquidjs