VulnerableCode Package Details - pkg:npm/liquidjs@10.25.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-9rvg-m1s9-q7g8 Aliases: CVE-2026-44645 GHSA-8xx9-69p8-7jp3	LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body	There are no reported fixed by versions.
VCID-aeat-fxbf-xbed Aliases: CVE-2026-44646 GHSA-9x9p-qf8f-mvjg	LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`	There are no reported fixed by versions.
VCID-hsu4-rbg2-77g7 Aliases: CVE-2026-44644 GHSA-2qv6-9wx5-cwv4	LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS	There are no reported fixed by versions.
VCID-z1u2-3tmy-pkd6 Aliases: CVE-2026-45357 GHSA-hh27-hf48-9f5q	LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-9rvg-m1s9-q7g8
Aliases:
CVE-2026-44645
GHSA-8xx9-69p8-7jp3

LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body

There are no reported fixed by versions.

VCID-aeat-fxbf-xbed
Aliases:
CVE-2026-44646
GHSA-9x9p-qf8f-mvjg

LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

There are no reported fixed by versions.

VCID-hsu4-rbg2-77g7
Aliases:
CVE-2026-44644
GHSA-2qv6-9wx5-cwv4

LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

There are no reported fixed by versions.

VCID-z1u2-3tmy-pkd6
Aliases:
CVE-2026-45357
GHSA-hh27-hf48-9f5q

LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-senw-hmwk-qqhj	LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.	CVE-2026-41311 GHSA-4rc3-7j7w-m548

Vulnerability

Summary

Aliases

VCID-senw-hmwk-qqhj

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.

CVE-2026-41311
GHSA-4rc3-7j7w-m548

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:29:35.827084+00:00	GHSA Importer	Fixing	VCID-senw-hmwk-qqhj	https://github.com/advisories/GHSA-4rc3-7j7w-m548	38.6.0
2026-06-12T22:12:45.415200+00:00	GitLab Importer	Fixing	VCID-senw-hmwk-qqhj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/liquidjs/CVE-2026-41311.yml	38.6.0
2026-06-12T07:45:39.157351+00:00	GithubOSV Importer	Fixing	VCID-senw-hmwk-qqhj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4rc3-7j7w-m548/GHSA-4rc3-7j7w-m548.json	38.6.0
2026-06-11T20:38:51.676330+00:00	GHSA Importer	Affected by	VCID-z1u2-3tmy-pkd6	https://github.com/advisories/GHSA-hh27-hf48-9f5q	38.6.0
2026-06-11T20:38:51.175831+00:00	GHSA Importer	Affected by	VCID-aeat-fxbf-xbed	https://github.com/advisories/GHSA-9x9p-qf8f-mvjg	38.6.0
2026-06-11T20:38:51.160355+00:00	GHSA Importer	Affected by	VCID-9rvg-m1s9-q7g8	https://github.com/advisories/GHSA-8xx9-69p8-7jp3	38.6.0
2026-06-11T20:38:51.144862+00:00	GHSA Importer	Affected by	VCID-hsu4-rbg2-77g7	https://github.com/advisories/GHSA-2qv6-9wx5-cwv4	38.6.0