CVE-2026-45357

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0

Description An issue exists in the date filter's strftime implementation where width specifiers, such as %9999999d, are parsed and passed unchecked into the pad() and padStart() functions. In the src/util/underscore.ts file, the pad() function performs unbounded string concatenation without verifying the memoryLimit or renderLimit of the Context. This allows a small template to generate megabytes of output and consume excessive CPU resources, effectively bypassing the documented Denial of Service (DoS) controls. Exploitation can lead to large memory allocations, high CPU usage, or Out-of-Memory (OOM) crashes. The risk is particularly high when a context value, which may be attacker-controlled, is used as the date format.

Recommendations Update to version 10.26.0. As a temporary workaround, avoid using attacker-controlled context values as the format argument in the date filter.