Denial of Service Vulnerability in LiquidJS Template Engine by Harttle
CVE-2026-41311

7.5HIGH

Key Information:

Vendor

Harttle

Status
Liquidjs
Vendor
CVE Published:
9 May 2026

What is CVE-2026-41311?

A Denial of Service vulnerability exists in the LiquidJS template engine prior to version 10.25.7, due to a circular block reference between {% layout %} and {% block %} tags. This flaw can trigger an infinite recursive loop, leading to the consumption of all available memory (~4GB) and crashing the Node.js process with the FATAL ERROR: JavaScript heap out of memory message. Any user who can upload a Liquid template could exploit this to disrupt service availability. A fix has been implemented in version 10.25.7.

Affected Version(s)

liquidjs < 10.25.7

References

https://github.com/harttle/liquidjs/security/advisories/G...
x_refsource_CONFIRM
https://github.com/harttle/liquidjs/commit/e2311dfd6e82f7...
x_refsource_MISC
https://github.com/harttle/liquidjs/releases/tag/v10.25.7
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.