CVE-2026-44645
Received Received - Intake
Loop DoS via renderLimit Bypass in LiquidJS

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call." The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45Γ— over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-44645
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
liquidjs liquidjs to 10.26.0 (exc)
liquidjs liquidjs 10.26.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can impact you by allowing an attacker to monopolize a Node.js event-loop worker for a prolonged period. This can stall in-flight requests and degrade the availability of the service, leading to a denial-of-service (DoS) condition. Systems relying on the renderLimit option for DoS protection, especially in multi-tenant environments where multiple users can author templates, are particularly at risk.

Executive Summary

This vulnerability exists in LiquidJS, a JavaScript template engine, in versions 10.25.7 and below. The issue involves the renderLimit option, which is intended to limit the time consumed by each render() call to prevent denial-of-service (DoS) attacks. However, this limit can be bypassed by using a {% for %} or {% tablerow %} tag with an empty body. Because the per-iteration time check only occurs if the loop body contains at least one template node, an empty loop iterates over the entire collection without triggering the renderLimit. This allows a low-privileged template author to cause the rendering process to consume significantly more time than allowed, effectively blocking the Node.js event-loop thread for an attacker-controlled duration.

Compliance Impact

This vulnerability in LiquidJS allows an attacker to bypass the renderLimit option, causing a denial-of-service (DoS) condition by monopolizing the Node.js event-loop worker. The impact is on availability only, with no confidentiality or integrity loss.

Since the vulnerability affects availability but does not impact confidentiality or integrity, it may have limited direct implications on compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, availability is also a component of information security and can be relevant under certain regulatory frameworks. Organizations relying on LiquidJS in multi-tenant environments should consider the risk of service disruption and its potential indirect effects on compliance.

Mitigation Strategies

To mitigate this vulnerability, upgrade LiquidJS to version 10.26.0 or later, where the issue has been fixed.

Avoid relying solely on the renderLimit option for denial-of-service protection, as it can be bypassed by crafted templates with empty loop bodies.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart