https://feed.craftedsignal.io/tags/liquidjs/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 25 Mar 2026 17:44:23 +0000https://feed.craftedsignal.io/briefs/2024-02-liquidjs-dos/Wed, 25 Mar 2026 17:44:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-liquidjs-dos/The `replace_first` filter in LiquidJS is vulnerable to exponential memory amplification due to its use of JavaScript's `String.prototype.replace()` and mishandling of the `$&` backreference pattern, allowing attackers to bypass the `memoryLimit` and cause denial of service.LiquidJS version 10.24.0 and earlier contains a vulnerability in its replace_first filter that allows for exponential memory amplification. The replace_first filter delegates to JavaScript’s native String.prototype.replace(), which interprets $& as a backreference to the matched substring. The filter only charges the input string length against the configured memoryLimit, not the amplified output. An attacker can exploit this by crafting a Liquid template with a replacement string containing multiple repetitions of $&, causing the output string to grow exponentially with each replacement. By chaining this technique across multiple variable assignments, an attacker can easily exhaust available memory, leading to a denial-of-service condition. This vulnerability affects applications that render user-provided Liquid templates, such as CMS platforms, newsletter editors, and SaaS platforms.

Attack Chain

1. The attacker crafts a malicious Liquid template.
2. The template uses the replace_first filter with a pattern containing multiple $& backreferences. For example: {% assign s = "A" %}{% assign s = s | replace_first: s, "$&$&$&...(50 times)...$&" %}.
3. The LiquidJS engine parses the template.
4. The replace_first filter is called.
5. The filter utilizes the native String.prototype.replace() method to perform the replacement.
6. Each instance of $& in the replacement string is expanded to the matched substring, causing the output string to grow exponentially.
7. The expanded string consumes excessive memory, potentially exceeding available resources.
8. The application crashes or becomes unresponsive, resulting in a denial-of-service condition.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition. A single request can allocate hundreds of megabytes of memory, and concurrent requests can cause complete service unavailability. The Node.js event loop is blocked, and legitimate user requests are stalled. Empirical results have demonstrated that with 20 concurrent requests, legitimate users experience up to 13-second delays. Each attack request costs only a few hundred bytes, making it easy to launch a large-scale attack.

Recommendation

• Apply a patch to LiquidJS that properly accounts for memory usage when using the replace_first filter with backreferences.
• Alternatively, disable or remove the replace_first filter entirely and use the replace filter instead, which treats $& as a literal string.
• Implement input validation and sanitization to prevent the use of $& backreferences in user-provided Liquid templates.
• Monitor web server logs for suspicious requests containing Liquid templates with excessive use of the replace_first filter and $& patterns using the Sigma rule below.
• Implement rate limiting to mitigate the impact of denial-of-service attacks.
• Increase the memoryLimit configuration value to provide a temporary buffer against memory exhaustion, but this will not fully prevent the attack.

]]>criticaladvisoryliquidjsdenial-of-servicememory-amplificationhttps://feed.craftedsignal.io/briefs/2024-01-03-liquidjs-dos/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-liquidjs-dos/A vulnerability in liquidjs versions prior to 10.25.7 allows for denial of service due to a circular block reference in the layout, causing an infinite recursive loop that exhausts memory and crashes the Node.js process.The liquidjs template engine, in versions prior to 10.25.7, is vulnerable to a denial-of-service (DoS) attack. This vulnerability stems from the improper handling of circular block references within the {% layout %} and {% block %} tags. When a template contains a nested block with the same name as an outer block, the rendering process enters an infinite recursive loop. This loop rapidly consumes available memory, leading to a “JavaScript heap out of memory” error and the subsequent crashing of the Node.js process. The vulnerability allows any user capable of submitting a Liquid template to trigger the DoS. This is especially concerning for CMS platforms, email template builders, and multi-tenant SaaS products.

Attack Chain

1. An attacker crafts a malicious Liquid template containing circular block references, specifically nesting a block with the same name inside another block. For example, {% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}.
2. The attacker submits this crafted template to an application that uses liquidjs for template rendering. This could be a CMS, email template builder, or any platform allowing user-provided Liquid templates.
3. The application’s liquidjs engine begins rendering the template.
4. During the rendering process, the engine encounters the nested block structure.
5. The engine attempts to resolve the block references, resulting in a recursive call to the same block’s render function.
6. This recursive call creates an infinite loop, as the inner block continuously calls the outer block’s render function, and vice versa.
7. The infinite loop causes uncontrolled memory allocation, rapidly consuming all available system memory (up to ~4GB).
8. The Node.js process running the liquidjs engine crashes with a “FATAL ERROR: JavaScript heap out of memory” error, leading to a denial of service.

Impact

Successful exploitation of this vulnerability leads to a denial of service (DoS). Any application that accepts user-provided or user-influenced Liquid templates can be crashed by a single malicious template. The Node.js process is terminated by the operating system due to memory exhaustion, resulting in complete service disruption. The number of potential victims is large, including CMS platforms, email template builders, multi-tenant SaaS products, and static site generators with untrusted input.

Recommendation

• Upgrade to liquidjs version 10.25.7 or later to patch CVE-2026-41311.
• Implement input validation and sanitization for Liquid templates to prevent the submission of malicious code.
• Monitor Node.js processes for excessive memory consumption, which could indicate a DoS attack.
• Deploy the Sigma rule Detect LiquidJS Template DoS to identify potentially malicious templates based on nested block structures.

]]>mediumadvisoryliquidjsdenial-of-servicetemplate-injection