CVE Catalog

CVE-2026-44645

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

23th percentile — higher than 23% of all known CVEs

Summary

In versions 10.25.7 and below of the LiquidJS template engine, the renderLimit option can be fully bypassed by using an empty {% for %} or {% tablerow %} tag. This allows for unlimited rendering time consumption, potentially leading to DoS attacks.

Risk Assessment

Organizations using LiquidJS versions 10.25.7 and below may be vulnerable to DoS attacks that can block Node.js event-loop threads, leading to application availability issues.

Recommendation

It is recommended to upgrade to version 10.26.0 or later to mitigate this issue and consider additional mechanisms for DoS attack protection.

Original NVD description (English source)

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call." The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS