Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41311

CVE-2026-41311: Liquidjs Template Engine DOS Vulnerability

CVE-2026-41311 is a denial of service flaw in Liquidjs template engine caused by circular block references that crash Node.js. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-41311 Overview

CVE-2026-41311 is a denial-of-service vulnerability in LiquidJS, a Shopify and GitHub Pages compatible template engine written in pure JavaScript. Versions prior to 10.25.7 permit a circular block reference between {% layout %} and {% block %} tags. This circular reference triggers an infinite recursive loop during template rendering. The loop consumes approximately 4GB of memory before crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. Any user able to submit a Liquid template can trigger the condition, making multi-tenant rendering environments particularly exposed. The maintainers patched the issue in version 10.25.7.

Critical Impact

Authenticated attackers who can submit Liquid templates can crash the Node.js process by exhausting heap memory, producing a reliable denial-of-service condition.

Affected Products

  • LiquidJS versions prior to 10.25.7
  • Node.js applications embedding LiquidJS for server-side template rendering
  • Multi-tenant platforms accepting user-submitted Liquid templates

Discovery Timeline

  • 2026-05-09 - CVE-2026-41311 published to NVD
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-41311

Vulnerability Analysis

The vulnerability is an uncontrolled recursion flaw classified under [CWE-674]. LiquidJS supports template inheritance through the {% layout %} tag, which loads a parent layout, and the {% block %} tag, which defines or overrides named regions. When a layout references a block that in turn references the layout, the template engine enters an unbounded recursive expansion. Each recursion frame allocates additional template state on the Node.js heap. The process terminates with FATAL ERROR: JavaScript heap out of memory after the V8 heap limit is reached, typically around 4GB.

Root Cause

The template engine did not track block resolution context per render invocation. The internal getRegister helper returned a shared mutable object without scoping it to the current layout traversal. Circular references between layout and block therefore re-entered the same resolution path indefinitely without a termination check.

Attack Vector

Exploitation requires the attacker to supply a Liquid template that is rendered by the server. The CVSS vector indicates network reach with low privileges required and no user interaction. Confidentiality and integrity are unaffected, but availability is fully compromised when the Node.js worker crashes.

typescript
// Patch excerpt: src/context/context.ts
// Source: https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0
    this.memoryLimit = memoryLimit ?? new Limiter('memory alloc', renderOptions.memoryLimit ?? opts.memoryLimit)
    this.renderLimit = renderLimit ?? new Limiter('template render', getPerformance().now() + (renderOptions.renderLimit ?? opts.renderLimit))
  }
-  public getRegister (key: string) {
-    return (this.registers[key] = this.registers[key] || {})
+  public getRegister<T> (key: string, defaultValue: T = undefined as T): T {
+    return (this.registers[key] = this.registers[key] || defaultValue)
  }
  public setRegister (key: string, value: any) {
    return (this.registers[key] = value)

The patch generalizes getRegister to accept a typed default value, enabling callers in the layout and block tag implementations to track per-render state and break circular references. See the LiquidJS commit e2311df for the full fix.

Detection Methods for CVE-2026-41311

Indicators of Compromise

  • Node.js process crashes with the log line FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
  • Sudden resident memory growth toward the V8 heap ceiling (default near 4GB) immediately preceding a worker exit
  • Repeated 502 or 504 responses from services that render user-supplied Liquid templates

Detection Strategies

  • Inspect submitted Liquid templates for {% layout %} directives that reference a parent which redefines or re-extends the calling template through {% block %}
  • Correlate template render error logs with the originating tenant, API key, or user account to identify abusive submitters
  • Track LiquidJS version metadata in software bills of materials and flag any version below 10.25.7

Monitoring Recommendations

  • Alert on Node.js worker restarts and out-of-memory exit codes from process managers such as PM2, systemd, or Kubernetes
  • Monitor heap utilization with --max-old-space-size instrumentation and set thresholds well below the configured limit
  • Log template render durations and trigger alerts when individual renders exceed expected latency budgets

How to Mitigate CVE-2026-41311

Immediate Actions Required

  • Upgrade LiquidJS to version 10.25.7 or later across all Node.js services
  • Audit dependency trees with npm ls liquidjs or yarn why liquidjs to identify transitive consumers
  • Restrict template submission to trusted users until patching is complete

Patch Information

The fix is available in LiquidJS v10.25.7 via commit e2311df. Refer to GitHub Security Advisory GHSA-4rc3-7j7w-m548 for the maintainer's disclosure.

Workarounds

  • Configure renderLimit and memoryLimit options on the LiquidJS Liquid constructor to bound per-render resources
  • Reject templates that contain both {% layout %} and overriding {% block %} tags pointing back to the caller using static analysis before rendering
  • Run template rendering in isolated worker processes so that an out-of-memory crash does not affect the primary service
bash
# Upgrade LiquidJS to the patched release
npm install liquidjs@^10.25.7

# Verify the installed version
npm ls liquidjs

# Run Node.js workers with a constrained heap and supervised restarts
node --max-old-space-size=512 server.js

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.