Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55575

CVE-2026-55575: LiquidJS DoS Vulnerability

CVE-2026-55575 is a denial of service flaw in LiquidJS that allows attackers to bypass memory limits via the pop array filter. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-55575 Overview

CVE-2026-55575 is a resource allocation vulnerability [CWE-770] in LiquidJS, a Shopify and GitHub Pages compatible template engine written in pure JavaScript. Versions prior to 10.27.1 fail to charge memory allocations performed by the pop array filter against the configured memoryLimit budget. An attacker who can influence template inputs can trigger an unbounded array clone using a template such as {{ huge_array | pop }}, exhausting server memory. The vulnerability is fixed in LiquidJS version 10.27.1.

Critical Impact

Remote attackers can trigger uncontrolled memory allocation through template rendering, bypassing the LiquidJS memoryLimit sandbox and causing denial of service on affected applications.

Affected Products

  • LiquidJS versions prior to 10.27.1
  • Applications embedding LiquidJS for template rendering with attacker-influenced input
  • Shopify or GitHub Pages compatible tooling built on LiquidJS

Discovery Timeline

  • 2026-07-08 - CVE-2026-55575 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-55575

Vulnerability Analysis

LiquidJS provides a memoryLimit sandbox mechanism that allows operators to cap memory consumed by a single template render. Filters that allocate memory are expected to call this.context.memoryLimit.use(...) so that allocations are accounted against the configured budget. The pop array filter in src/filters/array.ts skipped this accounting step. When rendering a template such as {{ huge_array | pop }}, the filter cloned the entire input array using the spread operator [...toArray(v)] before calling pop(). The clone operation is O(N) in memory usage and executes outside the memory limit tracker.

This behavior classifies as an Algorithmic Complexity Attack and Resource Exhaustion issue [CWE-770]. Applications relying on memoryLimit as a defense against untrusted templates cannot enforce the intended bound when the pop filter is invoked on a large array.

Root Cause

The root cause is a missing call to this.context.memoryLimit.use(array.length) inside the pop filter implementation. Without this call, the runtime accounting layer never observes the allocation, so the memory limit check cannot fire. The bug is a violation of the filter contract shared with other array filters in the codebase.

Attack Vector

Exploitation requires the attacker to influence either the template source or the array input passed to a template that already contains the pop filter. In multi-tenant SaaS platforms, static site generators, and CMS integrations, user-supplied Liquid templates or user-controlled data collections are common attack surfaces. Repeated requests targeting a large array can degrade or crash the rendering process.

typescript
   return clone
 }
 
-export function pop<T> (v: T[]): T[] {
-  const clone = [...toArray(v)]
+export function pop<T> (this: FilterImpl, v: T[]): T[] {
+  const array = toArray(v)
+  this.context.memoryLimit.use(array.length)
+  const clone = [...array]
   clone.pop()
   return clone
 }

Source: GitHub Commit 8a0c74a7. The patch adds an explicit memoryLimit.use(array.length) call so that cloning the input array now consumes the configured budget and triggers the limit when exceeded.

Detection Methods for CVE-2026-55575

Indicators of Compromise

  • Node.js process crashes with JavaScript heap out of memory or FATAL ERROR: Reached heap limit during Liquid template rendering.
  • Sudden spikes in resident set size (RSS) of the rendering worker correlated with requests containing large arrays or the pop filter.
  • Repeated 5xx responses or worker restarts from endpoints that render user-supplied Liquid templates.

Detection Strategies

  • Inventory application dependencies and flag any version of liquidjs below 10.27.1 in package.json and lockfiles.
  • Inspect template sources and stored content for occurrences of the | pop filter applied to attacker-controlled collections.
  • Perform Software Composition Analysis (SCA) scans in CI/CD pipelines to detect vulnerable LiquidJS releases before deployment.

Monitoring Recommendations

  • Enable memory and CPU metrics on Node.js processes rendering Liquid templates, with alerting on abnormal growth.
  • Log template render durations and payload sizes to identify anomalous requests targeting large arrays.
  • Correlate application logs with reverse proxy or WAF logs to spot repeated abusive requests against template endpoints.

How to Mitigate CVE-2026-55575

Immediate Actions Required

  • Upgrade LiquidJS to version 10.27.1 or later across all applications and container images.
  • Audit deployed templates for use of pop on user-influenced arrays and reject or rate-limit such requests until patched.
  • Enforce request size limits at the reverse proxy or API gateway to reduce the size of attacker-supplied arrays.

Patch Information

The fix is available in LiquidJS 10.27.1. See the GitHub Release v10.27.1, the Pull Request #907, and the GHSA-g357-x5c3-c72p Security Advisory for full details. The patch adds this.context.memoryLimit.use(array.length) to the pop filter so allocations count against the memoryLimit budget.

Workarounds

  • Disable or override the pop filter for templates rendered from untrusted sources until the upgrade is applied.
  • Restrict template inputs so that user-supplied arrays cannot exceed a safe maximum length before reaching the renderer.
  • Run template rendering workers with strict Node.js --max-old-space-size limits and automatic restart to contain resource exhaustion.
bash
# Upgrade LiquidJS to the patched release
npm install liquidjs@10.27.1

# Verify installed version
npm ls liquidjs

# Audit remaining vulnerable dependencies
npm audit --production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.