Vulnerability-Lookup

CVE-2026-45617 (GCVE-0-2026-45617)

Vulnerability from cvelistv5 – Published: 2026-06-17 22:14 – Updated: 2026-06-18 15:46

Title

LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Summary

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request ('<script'.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit — the regex itself runs unbounded. A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/harttle/liquidjs/security/advi…	x_refsource_CONFIRM
https://github.com/harttle/liquidjs/commit/3616a7…	x_refsource_MISC
https://github.com/harttle/liquidjs/releases/tag/…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
harttle	liquidjs	Affected: < 10.26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45617",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T15:46:01.767622Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T15:46:28.241Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "liquidjs",
          "vendor": "harttle",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 10.26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many \u003cscript, \u003cstyle, or \u003c!-- opener tokens without matching closers, the V8 regex engine performs O(N\u00b2) backtracking, blocking the Node.js event loop. A single ~350 KB request (\u0027\u003cscript\u0027.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit \u2014 the regex itself runs unbounded.  A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T22:14:38.396Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq"
        },
        {
          "name": "https://github.com/harttle/liquidjs/commit/3616a744b9abeb425c217b340a2397d46176afb8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/harttle/liquidjs/commit/3616a744b9abeb425c217b340a2397d46176afb8"
        },
        {
          "name": "https://github.com/harttle/liquidjs/releases/tag/v10.26.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/harttle/liquidjs/releases/tag/v10.26.0"
        }
      ],
      "source": {
        "advisory": "GHSA-r7g9-xpmj-5fcq",
        "discovery": "UNKNOWN"
      },
      "title": "LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45617",
    "datePublished": "2026-06-17T22:14:38.396Z",
    "dateReserved": "2026-05-12T20:31:43.448Z",
    "dateUpdated": "2026-06-18T15:46:28.241Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45617",
      "date": "2026-06-24",
      "epss": "0.00385",
      "percentile": "0.30245"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45617\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-18T15:46:01.767622Z\"}}}], \"references\": [{\"url\": \"https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-18T15:46:20.491Z\"}}], \"cna\": {\"title\": \"LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex\", \"source\": {\"advisory\": \"GHSA-r7g9-xpmj-5fcq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"harttle\", \"product\": \"liquidjs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 10.26.0\"}]}], \"references\": [{\"url\": \"https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq\", \"name\": \"https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/harttle/liquidjs/commit/3616a744b9abeb425c217b340a2397d46176afb8\", \"name\": \"https://github.com/harttle/liquidjs/commit/3616a744b9abeb425c217b340a2397d46176afb8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/harttle/liquidjs/releases/tag/v10.26.0\", \"name\": \"https://github.com/harttle/liquidjs/releases/tag/v10.26.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many \u003cscript, \u003cstyle, or \u003c!-- opener tokens without matching closers, the V8 regex engine performs O(N\\u00b2) backtracking, blocking the Node.js event loop. A single ~350 KB request (\u0027\u003cscript\u0027.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit \\u2014 the regex itself runs unbounded.  A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-17T22:14:38.396Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45617\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-18T15:46:28.241Z\", \"dateReserved\": \"2026-05-12T20:31:43.448Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-17T22:14:38.396Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45617

Vulnerability from fkie_nvd - Published: 2026-06-17 23:17 - Updated: 2026-06-18 17:16

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/harttle/liquidjs/commit/3616a744b9abeb425c217b340a2397d46176afb8
	security-advisories@github.com	https://github.com/harttle/liquidjs/releases/tag/v10.26.0
	security-advisories@github.com	https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "liquidjs",
          "vendor": "harttle",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 10.26.0"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many \u003cscript, \u003cstyle, or \u003c!-- opener tokens without matching closers, the V8 regex engine performs O(N\u00b2) backtracking, blocking the Node.js event loop. A single ~350 KB request (\u0027\u003cscript\u0027.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit \u2014 the regex itself runs unbounded.  A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0."
    }
  ],
  "id": "CVE-2026-45617",
  "lastModified": "2026-06-18T17:16:31.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-45617",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-18T15:46:01.767622Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-17T23:17:04.033",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/harttle/liquidjs/commit/3616a744b9abeb425c217b340a2397d46176afb8"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/harttle/liquidjs/releases/tag/v10.26.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-R7G9-XPMJ-5FCQ

Vulnerability from github – Published: 2026-05-27 18:08 – Updated: 2026-05-27 18:08

Summary

LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Details

Summary

The built-in strip_html filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request ('<script'.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit — the regex itself runs unbounded.

Details

The vulnerable filter is at src/filters/html.ts:45-49:

export function strip_html (this: FilterImpl, v: string) {
  const str = stringify(v)
  this.context.memoryLimit.use(str.length)
  return str.replace(/<script[\s\S]*?<\/script>|<style[\s\S]*?<\/style>|<.*?>|<!--[\s\S]*?-->/g, '')
}

The regex contains four lazy patterns: 1. <script[\s\S]*?<\/script> 2. <style[\s\S]*?<\/style> 3. <.*?> 4. 

For an input like '<script'.repeat(N), the engine encounters N starting < positions. At each one it must lazily expand [\s\S]*? (and .*?) all the way to end-of-input searching for a closer that never appears, then fail and backtrack. Because each of the O(N) starts performs O(N) lazy-expansion work, total work is O(N²).

Reachability: 1. strip_html is a default-registered filter (exported from src/filters/html.ts, wired up via src/filters/index.ts), invocable from any template via {{ x | strip_html }}. 2. The filter calls String.prototype.replace with the vulnerable regex directly on the caller-supplied string, with no length cap and no timeout. 3. The default memoryLimit is Infinity (src/liquid-options.ts:198); the filter only charges str.length against memory (line 47), which does not bound CPU work for regex backtracking.

This is distinct from GHSA-45rm-2893-5f49 (prototype property leak, CWE-200) and from any prior replace/strip_html issues — the mechanism here is regex backtracking CPU consumption on a different filter.

PoC

Empirical scaling confirmed against a freshly built liquidjs@10.25.7 bundle on Node 22 / Linux:

node -e "
const { Liquid } = require('liquidjs');
const e = new Liquid();
(async () => {
  for (const n of [1000, 2000, 4000, 8000, 16000]) {
    const payload = '<script'.repeat(n);
    const t0 = Date.now();
    await e.parseAndRender('{{ x | strip_html }}', { x: payload });
    console.log('n=' + n + ' inputLen=' + payload.length + ' ms=' + (Date.now() - t0));
  }
})();
"

Verified output:

n=1000  inputLen=7000   ms=5
n=2000  inputLen=14000  ms=12     (2.4x for 2x size)
n=4000  inputLen=28000  ms=46     (3.8x for 2x size)
n=8000  inputLen=56000  ms=187    (4.0x for 2x size)
n=16000 inputLen=112000 ms=737    (3.9x for 2x size)

A larger payload extrapolates straightforwardly:

node -e "
const { Liquid } = require('liquidjs');
const e = new Liquid();
(async () => {
  const payload = '<script'.repeat(50000);  // 350 KB
  const t0 = Date.now();
  await e.parseAndRender('{{ x | strip_html }}', { x: payload });
  console.log('elapsed ms:', Date.now() - t0);
})();
"
# elapsed ms: ~10000+ (Node single-threaded event loop fully blocked)

The same pathology applies to <style and <!-- openers.

Impact

Single-request DoS: A 350 KB request body stalls the Node.js event loop for ~10 seconds; 700 KB takes ~40 s; 1.4 MB takes ~160 s. All other requests on the process queue behind the regex.
Trivial amplification: Quadratic scaling means small attacker bandwidth produces large server CPU consumption. A handful of concurrent requests fully saturates the worker.
No authentication required: The typical use case for strip_html is sanitizing untrusted input (comments, posts, profile bios, product descriptions). Any endpoint that renders user content through strip_html is exposed.
memoryLimit doesn't help: Even applications that opt into memoryLimit are not protected, because (a) the regex CPU runs to completion before any output is produced, and (b) only str.length is charged, not the cost of the regex traversal.

Recommended Fix

Replace the backtracking regex with an atomic / non-overlapping pattern, and/or perform a single linear pass.

Option 1 — anchor each alternative so lazy expansion fails fast on chunked content (no [\s\S]*? over the full tail):

return str.replace(
  /<script\b[^<]*(?:<(?!\/script>)[^<]*)*<\/script>|<style\b[^<]*(?:<(?!\/style>)[^<]*)*<\/style>|<!--[^-]*(?:-(?!->)[^-]*)*-->|<[^>]*>/g,
  ''
)

This unrolls each lazy quantifier so each < is visited at most a constant number of times overall — linear total work.

Option 2 — single-pass tokenizer in plain code; iterate over the string once, tracking whether you are inside <script>, <style>, comment, or generic tag, and emit nothing for those ranges.

Either fix should be combined with charging the regex output cost honestly to memoryLimit and (defensively) capping input length up front:

export function strip_html (this: FilterImpl, v: string) {
  const str = stringify(v)
  this.context.memoryLimit.use(str.length)
  // ... linear-time strip implementation here
}

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "liquidjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T18:08:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `\u003cscript`, `\u003cstyle`, or `\u003c!--` opener tokens without matching closers, the V8 regex engine performs O(N\u00b2) backtracking, blocking the Node.js event loop. A single ~350 KB request (`\u0027\u003cscript\u0027.repeat(50000)`) stalls the process for ~10 seconds; cost grows quadratically with input size. The default `memoryLimit: Infinity` does not bound regex CPU, and even when configured `strip_html` only charges `str.length` to the limit \u2014 the regex itself runs unbounded.\n\n## Details\n\nThe vulnerable filter is at `src/filters/html.ts:45-49`:\n\n```ts\nexport function strip_html (this: FilterImpl, v: string) {\n  const str = stringify(v)\n  this.context.memoryLimit.use(str.length)\n  return str.replace(/\u003cscript[\\s\\S]*?\u003c\\/script\u003e|\u003cstyle[\\s\\S]*?\u003c\\/style\u003e|\u003c.*?\u003e|\u003c!--[\\s\\S]*?--\u003e/g, \u0027\u0027)\n}\n```\n\nThe regex contains four lazy patterns:\n1. `\u003cscript[\\s\\S]*?\u003c\\/script\u003e`\n2. `\u003cstyle[\\s\\S]*?\u003c\\/style\u003e`\n3. `\u003c.*?\u003e`\n4. `\u003c!--[\\s\\S]*?--\u003e`\n\nFor an input like `\u0027\u003cscript\u0027.repeat(N)`, the engine encounters N starting `\u003c` positions. At each one it must lazily expand `[\\s\\S]*?` (and `.*?`) all the way to end-of-input searching for a closer that never appears, then fail and backtrack. Because each of the O(N) starts performs O(N) lazy-expansion work, total work is O(N\u00b2).\n\nReachability:\n1. `strip_html` is a default-registered filter (exported from `src/filters/html.ts`, wired up via `src/filters/index.ts`), invocable from any template via `{{ x | strip_html }}`.\n2. The filter calls `String.prototype.replace` with the vulnerable regex directly on the caller-supplied string, with no length cap and no timeout.\n3. The default `memoryLimit` is `Infinity` (`src/liquid-options.ts:198`); the filter only charges `str.length` against memory (line 47), which does not bound CPU work for regex backtracking.\n\nThis is distinct from `GHSA-45rm-2893-5f49` (prototype property leak, CWE-200) and from any prior `replace`/`strip_html` issues \u2014 the mechanism here is regex backtracking CPU consumption on a different filter.\n\n## PoC\n\nEmpirical scaling confirmed against a freshly built `liquidjs@10.25.7` bundle on Node 22 / Linux:\n\n```bash\nnode -e \"\nconst { Liquid } = require(\u0027liquidjs\u0027);\nconst e = new Liquid();\n(async () =\u003e {\n  for (const n of [1000, 2000, 4000, 8000, 16000]) {\n    const payload = \u0027\u003cscript\u0027.repeat(n);\n    const t0 = Date.now();\n    await e.parseAndRender(\u0027{{ x | strip_html }}\u0027, { x: payload });\n    console.log(\u0027n=\u0027 + n + \u0027 inputLen=\u0027 + payload.length + \u0027 ms=\u0027 + (Date.now() - t0));\n  }\n})();\n\"\n```\n\nVerified output:\n```\nn=1000  inputLen=7000   ms=5\nn=2000  inputLen=14000  ms=12     (2.4x for 2x size)\nn=4000  inputLen=28000  ms=46     (3.8x for 2x size)\nn=8000  inputLen=56000  ms=187    (4.0x for 2x size)\nn=16000 inputLen=112000 ms=737    (3.9x for 2x size)\n```\n\nA larger payload extrapolates straightforwardly:\n```bash\nnode -e \"\nconst { Liquid } = require(\u0027liquidjs\u0027);\nconst e = new Liquid();\n(async () =\u003e {\n  const payload = \u0027\u003cscript\u0027.repeat(50000);  // 350 KB\n  const t0 = Date.now();\n  await e.parseAndRender(\u0027{{ x | strip_html }}\u0027, { x: payload });\n  console.log(\u0027elapsed ms:\u0027, Date.now() - t0);\n})();\n\"\n# elapsed ms: ~10000+ (Node single-threaded event loop fully blocked)\n```\n\nThe same pathology applies to `\u003cstyle` and `\u003c!--` openers.\n\n## Impact\n\n- **Single-request DoS:** A 350 KB request body stalls the Node.js event loop for ~10 seconds; 700 KB takes ~40 s; 1.4 MB takes ~160 s. All other requests on the process queue behind the regex.\n- **Trivial amplification:** Quadratic scaling means small attacker bandwidth produces large server CPU consumption. A handful of concurrent requests fully saturates the worker.\n- **No authentication required:** The typical use case for `strip_html` is sanitizing untrusted input (comments, posts, profile bios, product descriptions). Any endpoint that renders user content through `strip_html` is exposed.\n- **memoryLimit doesn\u0027t help:** Even applications that opt into `memoryLimit` are not protected, because (a) the regex CPU runs to completion before any output is produced, and (b) only `str.length` is charged, not the cost of the regex traversal.\n\n## Recommended Fix\n\nReplace the backtracking regex with an atomic / non-overlapping pattern, and/or perform a single linear pass.\n\nOption 1 \u2014 anchor each alternative so lazy expansion fails fast on chunked content (no `[\\s\\S]*?` over the full tail):\n```ts\nreturn str.replace(\n  /\u003cscript\\b[^\u003c]*(?:\u003c(?!\\/script\u003e)[^\u003c]*)*\u003c\\/script\u003e|\u003cstyle\\b[^\u003c]*(?:\u003c(?!\\/style\u003e)[^\u003c]*)*\u003c\\/style\u003e|\u003c!--[^-]*(?:-(?!-\u003e)[^-]*)*--\u003e|\u003c[^\u003e]*\u003e/g,\n  \u0027\u0027\n)\n```\nThis unrolls each lazy quantifier so each `\u003c` is visited at most a constant number of times overall \u2014 linear total work.\n\nOption 2 \u2014 single-pass tokenizer in plain code; iterate over the string once, tracking whether you are inside `\u003cscript\u003e`, `\u003cstyle\u003e`, comment, or generic tag, and emit nothing for those ranges.\n\nEither fix should be combined with charging the regex output cost honestly to `memoryLimit` and (defensively) capping input length up front:\n```ts\nexport function strip_html (this: FilterImpl, v: string) {\n  const str = stringify(v)\n  this.context.memoryLimit.use(str.length)\n  // ... linear-time strip implementation here\n}\n```",
  "id": "GHSA-r7g9-xpmj-5fcq",
  "modified": "2026-05-27T18:08:19Z",
  "published": "2026-05-27T18:08:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-r7g9-xpmj-5fcq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/harttle/liquidjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/harttle/liquidjs/releases/tag/v10.26.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45617 (GCVE-0-2026-45617)

FKIE_CVE-2026-45617

GHSA-R7G9-XPMJ-5FCQ

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature