LiquidJS CVE-2026-41311: DoS Vulnerability in Template Engine
The National Vulnerability Database has disclosed CVE-2026-41311, a high-severity Denial of Service (DoS) vulnerability in LiquidJS, a popular JavaScript template engine compatible with Shopify and GitHub Pages. This flaw, present in versions prior to 10.25.7, stems from a circular block reference within the { % layout % } and { % block % } Liquid tags.
An attacker can exploit this by submitting a specially crafted Liquid template. This triggers an infinite recursive loop, exhausting all available memory (up to 4GB) and crashing the Node.js process with a ‘FATAL ERROR: JavaScript heap out of memory’. The National Vulnerability Database assigns this a CVSS score of 7.5 (High), noting its network-exploitable nature without requiring user interaction or elevated privileges.
This vulnerability allows any user capable of submitting a Liquid template to perform a DoS attack, making it critical for organizations using LiquidJS in user-facing applications or environments where untrusted users can submit templates. The issue has been addressed in LiquidJS version 10.25.7.
What This Means For You
- If your organization uses LiquidJS, especially in applications where untrusted users can submit templates (like content management systems or static site generators), you are exposed to a straightforward Denial of Service attack. Immediately audit your LiquidJS deployments and prioritize upgrading to version 10.25.7 or higher. Failing to patch means an attacker can easily take your Node.js application offline, impacting availability and potentially leading to significant operational disruption.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
LiquidJS DoS via Circular Block Reference - LiquidJS CVE-2026-41311
title: LiquidJS DoS via Circular Block Reference - LiquidJS CVE-2026-41311
id: scw-2026-05-09-ai-1
status: experimental
level: high
description: |
Detects potential exploitation of LiquidJS CVE-2026-41311 by identifying web requests containing patterns indicative of a circular block reference in Liquid templates, specifically '{ % layout % }' and '{ % block % }', which can lead to a Denial of Service by causing an infinite recursive loop. This rule looks for these patterns in the query string of web requests, often associated with a 500 Internal Server Error, which is a common symptom of a Node.js process crashing due to excessive memory consumption.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41311/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '{ % layout % }'
- '{ % block % }'
cs-uri-query|contains:
- 'infinite recursive loop'
condition: selection
selection_base:
sc-status:
- '500'
selection_indicators:
cs-uri-query|contains:
- '{ % layout % }'
- '{ % block % }'
condition: selection_base AND selection_indicators
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41311 | DoS | LiquidJS template engine versions prior to 10.25.7 |
| CVE-2026-41311 | DoS | Circular block reference in { % layout % } / { % block % } in LiquidJS |
| CVE-2026-41311 | DoS | Node.js process crash due to JavaScript heap out of memory in LiquidJS |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 09, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Hikvision Switches: Authenticated RCE in Discontinued Products
CVE-2026-3828 — Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid...
CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature
CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit...
CVE-2026-1749 — Some HikCentral Professional Versions. This Vulnerability
CVE-2026-1749 — There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.