LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body

Description

The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that “mitigates this by limiting the time consumed by each render() call” — can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 10.25.7

References

• GHSA-8xx9-69p8-7jp3
• CVE-2026-44645
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
• Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
• LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166
• Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:

npm

liquidjs