liquidjs has a Denial of Service via circular block reference in layout
- Severity:
- High
Description
A circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.25.7
- Patched version(s): 10.25.7
References
Related Issues
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on May 13, 2026