GHSA-8xx9-69p8-7jp3: LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Summary
The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call" — can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The per-iteration time check is reached only when the body contains at least one template node, so a template like {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration.
Details
Render.renderTemplates is the single point at which renderLimit is consulted:
// src/render/render.ts
14: public * renderTemplates (templates: Template[], ctx: Context, emitter?: Emitter): IterableIterator<any> {
15: if (!emitter) {
16: emitter = ctx.opts.keepOutputType ? new KeepingTypeEmitter() : new SimpleEmitter()
17: }
18: const errors = []
19: for (const tpl of templates) {
20: ctx.renderLimit.check(getPerformance().now())
21: try {
22: const html = yield tpl.render(ctx, emitter)
...
32: }
The check at line 20 lives inside the for (const tpl of templates) body. When templates.length === 0, the loop body never executes, so the limiter is never consulted on that invocation.
The for tag re-enters renderTemplates once per collection item with no independent time check:
// src/tags/for.ts
70: for (const item of collection) {
71: scope[this.variable] = item
72: ctx.continueCalled = ctx.breakCalled = false
73: yield r.renderTemplates(this.templates, ctx, emitter)
74: if (ctx.breakCalled) break
75: scope.forloop.next()
76: }
When {%- for i in (1..N) -%}{%- endfor -%} is parsed, this.templates is []. Each of the N calls to r.renderTemplates(this.templates, ctx, emitter) therefore performs zero renderLimit.chec
Details
Original advisory: https://github.com/advisories/GHSA-8xx9-69p8-7jp3
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-446450.32% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 24% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-44645 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10