CVE-2026-55575
Harttle · LiquidJS
LiquidJS is vulnerable to an allocation of resources without limits or throttling, potentially allowing an unauthenticated attacker to cause a denial-of-service condition.
Executive summary
A resource exhaustion vulnerability in the LiquidJS template engine may allow an unauthenticated attacker to cause significant application instability or denial-of-service.
Vulnerability
The vulnerability exists due to improper resource management, classified as CWE-770 (Allocation of Resources Without Limits or Throttling). This flaw can be triggered by an unauthenticated attacker to exhaust server resources.
Business impact
The ability to trigger resource exhaustion poses a significant threat to service availability. Successful exploitation could lead to application downtime, disrupting critical business processes and impacting user productivity. With a CVSS score of 8.2, this high-severity vulnerability requires immediate attention to prevent operational disruption.
Remediation
Immediate Action: Upgrade to LiquidJS version 10.27.1 or later to implement necessary resource constraints.
Proactive Monitoring: Monitor server CPU and memory usage patterns for anomalous spikes that may indicate an ongoing denial-of-service attempt.
Compensating Controls: Implement request rate limiting at the Web Application Firewall (WAF) or load balancer level to restrict the volume of potentially malicious template processing requests.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the ease with which resource exhaustion can be triggered, organizations utilizing LiquidJS must prioritize the update to version 10.27.1. Applying this patch is the only definitive way to mitigate the risk of service degradation and ensure the stability of dependent applications.