Impact
CVE-2026-45617 exposes a regular expression denial of service in the LiquidJS template engine. The strip_html filter contains a regex with flawed lazy quantifiers that trigger O(N²) backtracking when an input contains many unclosed tags such as <script, <style, or <!--. The V8 engine can block the Node.js event loop for several seconds, as a 350 KB payload can stall execution for ~10 seconds. This lockout occupies CPU cycles and saturates workers, effectively denying service. The flaw is a classic ReDoS identified by CWE‑1333.
Affected Systems
Affected by this issue are installations of LiquidJS version 10.25.7 and earlier. Harttle’s LiquidJS runs in Node.js environments, commonly embedded in web applications or static‑site generators. Any web service that accepts user‑supplied templates or content processed by the strip_html filter is vulnerable, regardless of authentication state, because the dangerous regex runs unbounded.
Risk and Exploitability
The severity is high with a CVSS score of 7.5, but the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the denial of service via an unauthenticated HTTP request containing crafted payloads. Because the flaw bypasses configured memory limits, the attack is trivial for an attacker who can send arbitrary input to the filter. Consequently, patching is strongly recommended even if current exploitation probability appears low.
OpenCVE Enrichment
Github GHSA