CVE-2026-41311: LiquidJS Template Engine Vulnerability Enables Memory Exhaustion Attacks

A high-severity vulnerability tracked as CVE-2026-41311 has been disclosed in LiquidJS, a JavaScript template engine compatible with Shopify and GitHub Pages. Rated 7.5 on the CVSS scale, the flaw allows attackers to trigger an infinite recursive loop through maliciously crafted template code, consuming approximately 4GB of memory and crashing affected systems. The vulnerability affects all versions prior to 10.25.7, which was released to address the issue.

The root cause lies in how LiquidJS handles circular block references within the {% layout %} and {% block %} template directives. When a template contains a circular reference—where a block recursively calls itself without termination—the engine fails to detect the loop and continues processing indefinitely. This results in uncontrolled memory allocation that exhausts available system resources. The attack requires no authentication or privileged access; an attacker need only submit a crafted template to any application that processes user-supplied Liquid templates without sandboxing.

The implications are significant for platforms exposing LiquidJS template rendering to untrusted input. Developers using LiquidJS for dynamic content generation, particularly in contexts where users can submit or influence templates, should upgrade to version 10.25.7 immediately. Applications that process only trusted, internally-controlled templates face lower risk but remain vulnerable if template sources can be manipulated. The vulnerability class—resource exhaustion through recursive expansion—is well-understood in template engines, yet continues to surface in implementations that prioritize flexibility over input validation. Security teams should audit template processing pipelines and consider implementing depth limits or sandboxing as defense-in-depth measures alongside the patch.