CVE-2026-55575
Received Received - Intake

Memory Limit Bypass in LiquidJS via Pop Filter

Vulnerability report for CVE-2026-55575, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.27.1, the pop array filter at src/filters/array.ts allocated a full clone of its input array via [...toArray(v)] without calling this.context.memoryLimit.use(...), allowing a template render such as {{ huge_array | pop }} to allocate an O(N) clone of an attacker-influenced array outside the configured memoryLimit budget. This issue is fixed in version 10.27.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
liquidjs liquidjs 10.27.1
harttle liquidjs 10.27.1
harttle liquidjs to 10.27.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-55575 vulnerability affects the LiquidJS template engine, specifically its `pop` array filter. This filter clones its input array without enforcing the configured memory limits, unlike other similar filters. As a result, when a template uses `{{ huge_array | pop }}`, it can allocate a large amount of memory proportional to the size of the input array without restriction.

This happens because the `pop` filter does not call the memory limit enforcement function `this.context.memoryLimit.use(...)`, allowing an attacker to bypass memory usage controls.

Compliance Impact

The vulnerability in LiquidJS allows an attacker to cause denial-of-service (DoS) conditions by bypassing memory limits during template rendering. This can lead to service unavailability or degraded performance, which may indirectly impact compliance with standards like GDPR or HIPAA that require maintaining availability and integrity of systems processing sensitive data.

However, the provided information does not explicitly discuss direct effects on compliance with specific regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to denial-of-service (DoS) conditions by allowing excessive memory allocation during template rendering. An attacker can exploit this by providing a large array to the `pop` filter, causing the system to consume large amounts of memory and potentially crash or become unresponsive.

This is especially critical in multi-tenant environments where untrusted input influences the size of arrays processed by the template engine.

Mitigations include avoiding the use of the `pop` filter on untrusted data or upgrading to a fixed version that enforces memory limits.

Detection Guidance

This vulnerability involves the `pop` array filter in LiquidJS versions prior to 10.27.1, which clones input arrays without enforcing memory limits, potentially leading to denial-of-service (DoS) conditions.

Detection can focus on identifying usage of the vulnerable LiquidJS versions (<= 10.27.0) and monitoring template rendering that uses the `pop` filter on large or attacker-controlled arrays.

Since this is a library-level issue, direct network detection commands are not specified in the resources. However, you can check the installed LiquidJS version with commands like:

  • npm list liquidjs
  • or check package.json dependencies for liquidjs version.

Additionally, monitoring application logs or template usage for the `pop` filter applied to large arrays may help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, upgrade LiquidJS to version 10.27.1 or later, where the `pop` filter properly enforces memory limits.

If upgrading immediately is not possible, avoid using the `pop` filter on untrusted or attacker-controlled arrays to prevent potential memory exhaustion.

Alternatively, implement a custom wrapper filter around `pop` that enforces memory limits by calling `this.context.memoryLimit.use(...)` before cloning arrays.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55575. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart