9 matches found
CVE-2026-44645
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a % for % or % tablerow % tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the...
CVE-2026-45357
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart, leading to memory and render limit...
CVE-2026-44645 LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a % for % or % tablerow % tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the...
CVE-2026-44645
CVE-2026-44645 affects LiquidJS up to version 10.25.7, where the renderLimit DoS guard can be bypassed by an empty {% for %} or {% tablerow %} body. The per-iteration time check only runs when the body contains at least one template node, so templates like {% for i in (1..N) %}{% endfor %} bypass...
GHSA-HH27-HF48-9F5Q LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
Summary The date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart in src/util/underscore.ts. The pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, so a...
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
Summary The date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart in src/util/underscore.ts. The pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, so a...
GHSA-8XX9-69P8-7JP3 LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Summary The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render call" — can be fully bypassed by a % for % or % tablerow % tag whose body is empty. The per-iteration time check is reached only when the...
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Summary The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render call" — can be fully bypassed by a % for % or % tablerow % tag whose body is empty. The per-iteration time check is reached only when the...
PT-2026-43459
Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0 Description LiquidJS is a template engine written in JavaScript. A flaw exists where the renderLimit option, designed to mitigate Denial of Service DoS by limiting the time consumed by each render call, can b...