CVE-2026-41311 Overview
CVE-2026-41311 is a denial-of-service vulnerability in LiquidJS, a Shopify and GitHub Pages compatible template engine written in pure JavaScript. Versions prior to 10.25.7 permit a circular block reference between {% layout %} and {% block %} tags. This circular reference triggers an infinite recursive loop during template rendering. The loop consumes approximately 4GB of memory before crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. Any user able to submit a Liquid template can trigger the condition, making multi-tenant rendering environments particularly exposed. The maintainers patched the issue in version 10.25.7.
Critical Impact
Authenticated attackers who can submit Liquid templates can crash the Node.js process by exhausting heap memory, producing a reliable denial-of-service condition.
Affected Products
- LiquidJS versions prior to 10.25.7
- Node.js applications embedding LiquidJS for server-side template rendering
- Multi-tenant platforms accepting user-submitted Liquid templates
Discovery Timeline
- 2026-05-09 - CVE-2026-41311 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-41311
Vulnerability Analysis
The vulnerability is an uncontrolled recursion flaw classified under [CWE-674]. LiquidJS supports template inheritance through the {% layout %} tag, which loads a parent layout, and the {% block %} tag, which defines or overrides named regions. When a layout references a block that in turn references the layout, the template engine enters an unbounded recursive expansion. Each recursion frame allocates additional template state on the Node.js heap. The process terminates with FATAL ERROR: JavaScript heap out of memory after the V8 heap limit is reached, typically around 4GB.
Root Cause
The template engine did not track block resolution context per render invocation. The internal getRegister helper returned a shared mutable object without scoping it to the current layout traversal. Circular references between layout and block therefore re-entered the same resolution path indefinitely without a termination check.
Attack Vector
Exploitation requires the attacker to supply a Liquid template that is rendered by the server. The CVSS vector indicates network reach with low privileges required and no user interaction. Confidentiality and integrity are unaffected, but availability is fully compromised when the Node.js worker crashes.
// Patch excerpt: src/context/context.ts
// Source: https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0
this.memoryLimit = memoryLimit ?? new Limiter('memory alloc', renderOptions.memoryLimit ?? opts.memoryLimit)
this.renderLimit = renderLimit ?? new Limiter('template render', getPerformance().now() + (renderOptions.renderLimit ?? opts.renderLimit))
}
- public getRegister (key: string) {
- return (this.registers[key] = this.registers[key] || {})
+ public getRegister<T> (key: string, defaultValue: T = undefined as T): T {
+ return (this.registers[key] = this.registers[key] || defaultValue)
}
public setRegister (key: string, value: any) {
return (this.registers[key] = value)
The patch generalizes getRegister to accept a typed default value, enabling callers in the layout and block tag implementations to track per-render state and break circular references. See the LiquidJS commit e2311df for the full fix.
Detection Methods for CVE-2026-41311
Indicators of Compromise
- Node.js process crashes with the log line FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
- Sudden resident memory growth toward the V8 heap ceiling (default near 4GB) immediately preceding a worker exit
- Repeated 502 or 504 responses from services that render user-supplied Liquid templates
Detection Strategies
- Inspect submitted Liquid templates for {% layout %} directives that reference a parent which redefines or re-extends the calling template through {% block %}
- Correlate template render error logs with the originating tenant, API key, or user account to identify abusive submitters
- Track LiquidJS version metadata in software bills of materials and flag any version below 10.25.7
Monitoring Recommendations
- Alert on Node.js worker restarts and out-of-memory exit codes from process managers such as PM2, systemd, or Kubernetes
- Monitor heap utilization with --max-old-space-size instrumentation and set thresholds well below the configured limit
- Log template render durations and trigger alerts when individual renders exceed expected latency budgets
How to Mitigate CVE-2026-41311
Immediate Actions Required
- Upgrade LiquidJS to version 10.25.7 or later across all Node.js services
- Audit dependency trees with npm ls liquidjs or yarn why liquidjs to identify transitive consumers
- Restrict template submission to trusted users until patching is complete
Patch Information
The fix is available in LiquidJS v10.25.7 via commit e2311df. Refer to GitHub Security Advisory GHSA-4rc3-7j7w-m548 for the maintainer's disclosure.
Workarounds
- Configure renderLimit and memoryLimit options on the LiquidJS Liquid constructor to bound per-render resources
- Reject templates that contain both {% layout %} and overriding {% block %} tags pointing back to the caller using static analysis before rendering
- Run template rendering in isolated worker processes so that an out-of-memory crash does not affect the primary service
# Upgrade LiquidJS to the patched release
npm install liquidjs@^10.25.7
# Verify the installed version
npm ls liquidjs
# Run Node.js workers with a constrained heap and supervised restarts
node --max-old-space-size=512 server.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
