LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
- Severity:
- Medium
Description
The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that “mitigates this by limiting the time consumed by each render() call” — can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 10.25.7
References
Related Issues
- Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
- LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) - CVE-2026-45357
- Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
- LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on May 27, 2026


