Description
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad()/padStart(), leading to memory and render limit bypass. In src/util/underscore.ts, the pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, so a single small template ({{ x | date: '%5000000d' }}) produces megabytes of output and unbounded CPU. The memoryLimit and renderLimit options the docs (src/liquid-options.ts:87-92) advertise as DoS controls — and which the docstring explicitly mentions for strftime — are entirely bypassed. Exploitation can cause large memory allocations, high CPU usage, or OOM crashes per render. This issue has been fixed in version 10.26.0.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LiquidJS, the JavaScript template engine compatible with Shopify and GitHub Pages, contains a flaw in its date filter’s strftime implementation. The filter accepts width specifiers such as %9999999d and passes the revealed width to JavaScript’s pad functions without enforcing the engine’s memoryLimit or renderLimit settings. As a result, a simple template such as {{ x | date: '%5000000d' }} can generate megabytes of output and consume unbounded CPU time, potentially exhausting memory, causing out‑of‑memory crashes, or overwhelming a rendering service. The issue is a classic Denial‑of‑Service weakness identified as CWE‑400.

Affected Systems

The vulnerability affects all installations of LiquidJS version 10.25.7 and earlier. The library is maintained by Harttle and is distributed through npm. The fix was released in upgrade 10.26.0, which removes the unchecked width handling. Users currently running older releases are exposed to the DoS risk until they upgrade.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests low but non‑zero exploitation probability. Because the flaw can be triggered by any template containing an improperly sized width specifier, there is little technical barrier to exploitation. Attackers can embed such templates in user-generated content or request parameters, leading to large memory allocations, CPU hogging, or out‑of‑memory termination. The vulnerability is not listed in CISA’s KEV catalog, but the impact on hosted services and the ease of exploitation warrant prompt remediation.

Generated by OpenCVE AI on June 18, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiquidJS to version 10.26.0 or later, which removes the unchecked width parsing in the date filter.
  • If upgrading immediately is not feasible, restrict the width or disable the date filter entirely in templates that originate from untrusted sources.
  • Implement external sanitization or validation of template content to reject or trim width specifiers larger than a safe threshold before they reach the renderer.

Generated by OpenCVE AI on June 18, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hh27-hf48-9f5q LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad()/padStart(), leading to memory and render limit bypass. In src/util/underscore.ts, the pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, so a single small template ({{ x | date: '%5000000d' }}) produces megabytes of output and unbounded CPU. The memoryLimit and renderLimit options the docs (src/liquid-options.ts:87-92) advertise as DoS controls — and which the docstring explicitly mentions for strftime — are entirely bypassed. Exploitation can cause large memory allocations, high CPU usage, or OOM crashes per render. This issue has been fixed in version 10.26.0.
Title LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (strftime)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Harttle Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:49:15.361Z

Reserved: 2026-05-11T21:40:08.179Z

Link: CVE-2026-45357

cve-icon Vulnrichment

Updated: 2026-06-18T12:47:54.507Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption