Description
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request ('<script'.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit — the regex itself runs unbounded. A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE-2026-45617 exposes a regular expression denial of service in the LiquidJS template engine. The strip_html filter contains a regex with flawed lazy quantifiers that trigger O(N²) backtracking when an input contains many unclosed tags such as <script, <style, or <!--. The V8 engine can block the Node.js event loop for several seconds, as a 350 KB payload can stall execution for ~10 seconds. This lockout occupies CPU cycles and saturates workers, effectively denying service. The flaw is a classic ReDoS identified by CWE‑1333.

Affected Systems

Affected by this issue are installations of LiquidJS version 10.25.7 and earlier. Harttle’s LiquidJS runs in Node.js environments, commonly embedded in web applications or static‑site generators. Any web service that accepts user‑supplied templates or content processed by the strip_html filter is vulnerable, regardless of authentication state, because the dangerous regex runs unbounded.

Risk and Exploitability

The severity is high with a CVSS score of 7.5, but the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the denial of service via an unauthenticated HTTP request containing crafted payloads. Because the flaw bypasses configured memory limits, the attack is trivial for an attacker who can send arbitrary input to the filter. Consequently, patching is strongly recommended even if current exploitation probability appears low.

Generated by OpenCVE AI on June 18, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiquidJS to version 10.26.0 or later to remove the vulnerable regex.
  • After upgrading, configure strict memory limits on regex operations to prevent future regex‑based blocking.
  • Monitor application latency and event‑loop responsiveness to detect abnormal blocking early.

Generated by OpenCVE AI on June 18, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r7g9-xpmj-5fcq LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request ('<script'.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit — the regex itself runs unbounded. A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0.
Title LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Harttle Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T15:46:28.241Z

Reserved: 2026-05-12T20:31:43.448Z

Link: CVE-2026-45617

cve-icon Vulnrichment

Updated: 2026-06-18T15:46:20.491Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity