Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.
Published: 2026-05-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the LiquidJS template engine. A circular block reference using the {% layout %} and {% block %} tags leads to an infinite recursion that exhausts the JavaScript heap, resulting in a crash of the Node.js process. The impact is a denial of service to any running instance that renders untrusted templates.

Affected Systems

Affected products are those that use the LiquidJS library before version 10.25.7. The vendor is Harttle, and the library is the pure JavaScript LiquidJS engine. All deployments that embed LiquidJS in a Node.js environment and accept user‑submitted templates are vulnerable. The fix is available in release 10.25.7.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Exploitation requires the ability to submit a template, which is common in web applications that allow content authoring or show custom macros. No exploitation data in EPSS or KEV, but the attack path is straightforward and can be performed remotely from a compromised crawler or attacker with template upload privileges. Immediate patching is strongly recommended.

Generated by OpenCVE AI on May 9, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the LiquidJS v10.25.7 upgrade or later to eliminate the infinite recursion bug.
  • Restart the Node.js application to clear the heap and bring the service back online.
  • Validate or sanitize user submitted template code to prevent circular references before rendering, or disable template rendering for untrusted users.
  • If immediate upgrade is not possible, temporarily remove or disable the {% layout %} tag handling until a patched version is available.

Generated by OpenCVE AI on May 9, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4rc3-7j7w-m548 liquidjs has a Denial of Service via circular block reference in layout
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.
Title LiquidJS is vulnerable to Denial of Service via circular block reference in layout
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Harttle Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T04:03:25.488Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41311

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:21.913

Modified: 2026-05-09T04:16:21.913

Link: CVE-2026-41311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses