CVE-2026-45357 Overview
CVE-2026-45357 is a denial of service vulnerability in LiquidJS, a Shopify/GitHub Pages compatible template engine written in pure JavaScript. The flaw resides in the date filter's strftime implementation, which parses width specifiers such as %9999999d and forwards the captured width unchecked into pad()/padStart(). The advertised memoryLimit and renderLimit Context options are bypassed entirely, allowing a single small template to allocate megabytes of output and consume unbounded CPU. The issue affects versions 10.25.7 and below and is fixed in version 10.26.0. The vulnerability is classified as Uncontrolled Resource Consumption [CWE-400].
Critical Impact
A single template such as {{ x | date: '%5000000d' }} produces megabytes of output and can trigger out-of-memory crashes per render.
Affected Products
- LiquidJS versions ≤ 10.25.7
- Applications embedding LiquidJS for user-supplied template rendering
- Shopify/GitHub Pages compatible template pipelines using LiquidJS
Discovery Timeline
- 2026-06-17 - CVE-2026-45357 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-45357
Vulnerability Analysis
The vulnerability stems from how LiquidJS handles strftime width specifiers inside the date filter. The parser accepts arbitrarily large integers in directives such as %9999999d and passes the captured width value directly to the padding routine. In src/util/underscore.ts, the pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit. As a result, attacker-controlled width values translate directly into attacker-controlled memory and CPU consumption.
The memoryLimit and renderLimit options described in src/liquid-options.ts:87-92 are documented as denial-of-service controls, and their docstrings explicitly reference strftime usage. Because the pad loop never queries these limits, the safeguards are completely bypassed. An attacker submitting templates to a server-side render path can force large allocations or out-of-memory termination of the host process.
Root Cause
The root cause is missing bounds enforcement in the strftime width handling and pad loop within src/util/underscore.ts. The parser does not cap the captured width and does not consult the Context's resource limits during string concatenation, violating the documented protection contract.
Attack Vector
Exploitation requires the ability to supply a Liquid template fragment or, in many deployments, a single template variable consumed by the date filter with an attacker-influenced format string. The attack is network-exploitable with low complexity and no authentication when the application renders user-controlled templates or formats.
The vulnerability manifests when the date filter receives a strftime format string containing a large width specifier. The pad routine then concatenates characters in a loop bounded only by that width. See the GitHub Security Advisory GHSA-hh27-hf48-9f5q for additional technical detail.
Detection Methods for CVE-2026-45357
Indicators of Compromise
- Process-level out-of-memory terminations or sustained high CPU usage in Node.js services rendering Liquid templates.
- Inbound HTTP requests containing template fragments with large numeric width specifiers in date filter arguments, for example %5000000d.
- Spikes in heap allocation immediately preceding template render errors in application logs.
Detection Strategies
- Inspect application logs and request bodies for strftime-style format strings containing width values above a small threshold (e.g., >32).
- Monitor Node.js process metrics for abrupt RSS growth correlated with template rendering endpoints.
- Run software composition analysis to flag liquidjs versions at or below 10.25.7 in production dependencies and lockfiles.
Monitoring Recommendations
- Alert on repeated render timeouts or OOM restarts on services that accept user-supplied templates or format strings.
- Track the LiquidJS package version across CI/CD pipelines and container images and fail builds on vulnerable versions.
- Capture and review HTTP request payloads targeting template rendering routes for anomalous % directive patterns.
How to Mitigate CVE-2026-45357
Immediate Actions Required
- Upgrade LiquidJS to version 10.26.0 or later, which contains the fix in commit 3129d46.
- Audit all code paths that render Liquid templates with untrusted input, particularly any use of the date filter with attacker-influenced format strings.
- Enforce request size and execution timeouts on endpoints that invoke template rendering to bound worst-case impact while patching.
Patch Information
The fix is included in LiquidJS Release v10.26.0. The patch enforces the Context's memoryLimit and renderLimit within the pad routine so that oversized strftime width specifiers no longer bypass the documented resource controls. Review the upstream commit for the exact code changes.
Workarounds
- Reject or sanitize user-supplied strftime format strings, stripping any %<digits><specifier> patterns with width values above a small cap.
- Disable or restrict the date filter for templates rendered from untrusted sources until the upgrade is deployed.
- Run template rendering in worker processes with hard memory and CPU limits so OOM crashes do not affect the parent service.
# Upgrade LiquidJS to the patched release
npm install liquidjs@^10.26.0
# Verify the resolved version in the lockfile
npm ls liquidjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
