Arbitrary Code Injection

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Arbitrary Code Injection via the filters and tags registries in Liquid. An attacker can trigger arbitrary inherited Object.prototype...

LiquidJS is Vulnerable to Remote Code Execution

Summary It is possible to execute arbitrary code with crafted templates Details 1|valueOf - this when evaluating the filter liquid %assign r=1|valueOf% r|inspect json...

GHSA-GF2Q-C269-PQGC LiquidJS is Vulnerable to Remote Code Execution

Summary It is possible to execute arbitrary code with crafted templates Details 1|valueOf - this when evaluating the filter liquid %assign r=1|valueOf% r|inspect json...

GHSA-R7G9-XPMJ-5FCQ LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Summary The built-in striphtml filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many |||/g, '' The regex contains four lazy patterns: 1. 2. 3. 4. For an input like 'script'.repeatN, the engine encounters N starting positions. At each one it mus...

GHSA-HH27-HF48-9F5Q LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)

Summary The date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart in src/util/underscore.ts. The pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, so a...

Insecure Default Initialization of Resource

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the Context.spawn function. An attacker can access prototype-chain properties of objects...

GHSA-9X9P-QF8F-MVJG LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

Summary Context.spawn in liquidjs creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value. The new context re-derives ownPropertyOnly from opts.ownPropertyOnly the instance-level option, silently discarding any...

GHSA-8XX9-69P8-7JP3 LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body

Summary The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render call" — can be fully bypassed by a % for % or % tablerow % tag whose body is empty. The per-iteration time check is reached only when the...

Denial of Service (DoS)

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Denial of Service DoS through the renderTemplates function when the for or tablerow tag is used with an empty body. An attacker can...

GHSA-2QV6-9WX5-CWV4 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

Summary The striphtml filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch does not match line terminators, so any HTML tag containing a \n or \r character passes through...

LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

Summary The striphtml filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch does not match line terminators, so any HTML tag containing a \n or \r character passes through...

PT-2026-44157

Name of the Vulnerable Software and Affected Versions liquidjs versions prior to 10.26.0 Description An issue allows unauthenticated attackers to achieve remote code execution and server compromise through crafted templates. The flaw is triggered by abusing filter evaluation, prototype...

PT-2026-44156

Summary The built-in strip html filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many |||/g, '' The regex contains four lazy patterns: 1. 2. 3. 4. For an input like 'script'.repeatN, the engine encounters N starting positions. At each one it mu...

CVE-2026-45617

creationtimestamp| type| source ---|---|--- 2026-05-24 13:22:51+00:00| published-proof-of-concept| https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq...

CVE-2026-45618

creationtimestamp| type| source ---|---|--- 2026-05-24 13:22:43+00:00| published-proof-of-concept| https://github.com/harttle/liquidjs/security/advisories/GHSA-gf2q-c269-pqgc...

CVE-2026-45357

creationtimestamp| type| source ---|---|--- 2026-05-24 13:22:38+00:00| published-proof-of-concept| https://github.com/harttle/liquidjs/security/advisories/GHSA-hh27-hf48-9f5q...

CVE-2026-41311

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in % layout % / % block % causes an infinite recursive loop, consuming all available memory 4GB and crashing the Node.js process with FATAL ERROR: JavaScript he...

CVE-2026-41311

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in % layout % / % block % causes an infinite recursive loop, consuming all available memory 4GB and crashing the Node.js process with FATAL ERROR: JavaScript he...

CVE-2026-41311 LiquidJS is vulnerable to Denial of Service via circular block reference in layout

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in % layout % / % block % causes an infinite recursive loop, consuming all available memory 4GB and crashing the Node.js process with FATAL ERROR: JavaScript he...

CVE-2026-41311

Vulnerability: CVE-2026-41311 affects LiquidJS (Shopify/GitHub Pages compatible template engine). Before 10.25.7, a circular reference in {% layout %} / {% block %} can trigger infinite recursion, exhausting memory (~4 GB) and crashing the Node.js process. Impact: Denial of Service from user-subm...