LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)

Description

The date filter’s strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad()/padStart() in src/util/underscore.ts.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 10.25.7

References

• GHSA-hh27-hf48-9f5q
• CVE-2026-45357
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166
• Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
• Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
• Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

liquidjs