Description
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call." The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LiquidJS versions 10.25.7 and earlier allow the renderLimit option, intended to limit rendering time, to be completely bypassed when a {% for %} or {% tablerow %} tag has an empty body. Because the per‑iteration time check is only reached when the body contains at least one template node, the loop can iterate over an entire collection without consuming any time budget. A crafted template can instantiate a loop over thousands of items, causing the render to seconds to minutes while never triggering the renderLimit. As a result the Node.js event‑loop worker becomes fully occupied, stalling in‑flight requests and causing an application‑wide denial of service. The weakness is a classic resource exhaustion flaw and is identified as CWE‑400.

Affected Systems

The affected product is LiquidJS, a vanilla JavaScript template engine for Shopify and GitHub Pages, distributed by the vendor harttle. Versions 10.25.7 and below are affected; the issue was fixed in version 10.26.0. Deployments that rely on a finite renderLimit for DoS protection—common in multi‑tenant template‑authoring environments—must correct these versions to protect availability.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score is less than 1%, implying a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Likely attackers are low‑privileged template authors who can submit a crafted template containing an empty loop. The fixed variant remains available in later releases, so updates are the most effective countermeasure.

Generated by OpenCVE AI on June 18, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiquidJS to version 10.26.0 or later to apply the vendor fix.
  • Audit all user‑supplied templates and remove any {% for %} or {% tablerow %} tags that have an empty body.
  • Run template rendering in a separate worker process or thread and enforce a hard time limit or kill the process if rendering exceeds acceptable thresholds.

Generated by OpenCVE AI on June 18, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8xx9-69p8-7jp3 LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
History

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call." The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0.
Title LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Harttle Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T19:05:32.418Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44645

cve-icon Vulnrichment

Updated: 2026-06-18T19:03:50.192Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption