CVE-2026-45617
Description
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request ('<script'.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit — the regex itself runs unbounded. A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0.
CVSS Details
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Threat Intelligence
Weaknesses 1
References 3
- github.com https://github.com/harttle/liquidjs/commit/3616a744b9abeb425c217b340a2397d46176afb8
- github.com https://github.com/harttle/liquidjs/releases/tag/v10.26.0
- github.com https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.