{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/liquidjs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["liquidjs"],"_cs_severities":["medium"],"_cs_tags":["liquidjs","denial-of-service","template-injection"],"_cs_type":"advisory","_cs_vendors":["liquidjs"],"content_html":"\u003cp\u003eThe liquidjs template engine, in versions prior to 10.25.7, is vulnerable to a denial-of-service (DoS) attack. This vulnerability stems from the improper handling of circular block references within the \u003ccode\u003e{% layout %}\u003c/code\u003e and \u003ccode\u003e{% block %}\u003c/code\u003e tags. When a template contains a nested block with the same name as an outer block, the rendering process enters an infinite recursive loop. This loop rapidly consumes available memory, leading to a \u0026ldquo;JavaScript heap out of memory\u0026rdquo; error and the subsequent crashing of the Node.js process. The vulnerability allows any user capable of submitting a Liquid template to trigger the DoS. This is especially concerning for CMS platforms, email template builders, and multi-tenant SaaS products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Liquid template containing circular block references, specifically nesting a block with the same name inside another block. For example, \u003ccode\u003e{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this crafted template to an application that uses liquidjs for template rendering. This could be a CMS, email template builder, or any platform allowing user-provided Liquid templates.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s liquidjs engine begins rendering the template.\u003c/li\u003e\n\u003cli\u003eDuring the rendering process, the engine encounters the nested block structure.\u003c/li\u003e\n\u003cli\u003eThe engine attempts to resolve the block references, resulting in a recursive call to the same block\u0026rsquo;s render function.\u003c/li\u003e\n\u003cli\u003eThis recursive call creates an infinite loop, as the inner block continuously calls the outer block\u0026rsquo;s render function, and vice versa.\u003c/li\u003e\n\u003cli\u003eThe infinite loop causes uncontrolled memory allocation, rapidly consuming all available system memory (up to ~4GB).\u003c/li\u003e\n\u003cli\u003eThe Node.js process running the liquidjs engine crashes with a \u0026ldquo;FATAL ERROR: JavaScript heap out of memory\u0026rdquo; error, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial of service (DoS). Any application that accepts user-provided or user-influenced Liquid templates can be crashed by a single malicious template. The Node.js process is terminated by the operating system due to memory exhaustion, resulting in complete service disruption. The number of potential victims is large, including CMS platforms, email template builders, multi-tenant SaaS products, and static site generators with untrusted input.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to liquidjs version 10.25.7 or later to patch CVE-2026-41311.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for Liquid templates to prevent the submission of malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js processes for excessive memory consumption, which could indicate a DoS attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LiquidJS Template DoS\u003c/code\u003e to identify potentially malicious templates based on nested block structures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-liquidjs-dos/","summary":"A vulnerability in liquidjs versions prior to 10.25.7 allows for denial of service due to a circular block reference in the layout, causing an infinite recursive loop that exhausts memory and crashes the Node.js process.","title":"liquidjs Denial of Service via Circular Block Reference","url":"https://feed.craftedsignal.io/briefs/2024-01-03-liquidjs-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Liquidjs","version":"https://jsonfeed.org/version/1.1"}