CVE-2026-55575

Harttle · LiquidJS

LiquidJS is vulnerable to an allocation of resources without limits or throttling, potentially allowing an unauthenticated attacker to cause a denial-of-service condition.

Executive summary

A resource exhaustion vulnerability in the LiquidJS template engine may allow an unauthenticated attacker to cause significant application instability or denial-of-service.

Vulnerability

The vulnerability exists due to improper resource management, classified as CWE-770 (Allocation of Resources Without Limits or Throttling). This flaw can be triggered by an unauthenticated attacker to exhaust server resources.

Business impact

The ability to trigger resource exhaustion poses a significant threat to service availability. Successful exploitation could lead to application downtime, disrupting critical business processes and impacting user productivity. With a CVSS score of 8.2, this high-severity vulnerability requires immediate attention to prevent operational disruption.

Remediation

Immediate Action: Upgrade to LiquidJS version 10.27.1 or later to implement necessary resource constraints.

Proactive Monitoring: Monitor server CPU and memory usage patterns for anomalous spikes that may indicate an ongoing denial-of-service attempt.

Compensating Controls: Implement request rate limiting at the Web Application Firewall (WAF) or load balancer level to restrict the volume of potentially malicious template processing requests.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the ease with which resource exhaustion can be triggered, organizations utilizing LiquidJS must prioritize the update to version 10.27.1. Applying this patch is the only definitive way to mitigate the risk of service degradation and ensure the stability of dependent applications.