PT-2026-51120 · Pypi · Python-Liquid

Published

2026-06-19

Updated

2026-06-19

CVE-2026-55865

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Impact

Given a malformed {% case %} tag without associated {% when %} or {% else %} block, and no terminating {% endcase %} tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service attack.

Patches

The issue is fixed in version 2.2.1 with the correction of the liquid.TokenStream.eof attribute. The kind and value of the special EOF token are now the same, so either can be tested against liquid.token.TOKEN EOF.

Workarounds

Manually correct the definition of liquid.TokenStream.eof before parsing any templates.

python

import liquid
from liquid.token import TOKEN EOF

liquid.stream.TokenStream.eof = liquid.Token(TOKEN EOF, TOKEN EOF, -1, "")

# ...

Fix

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

CVE-2026-55865

GHSA-VQ2F-VCC9-J8MV

Affected Products

Python-Liquid

PT-2026-51120 · Pypi · Python-Liquid

CVE-2026-55865

Impact

Patches

Workarounds

Weakness Enumeration

Related Identifiers

Affected Products

References · 3