LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
- Severity:
- High
Description
The built-in strip_html filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request ('<script'.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.26.0
- Patched version(s): 10.26.0
References
Related Issues
- LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS - CVE-2026-44644
- LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166
- LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on May 27, 2026