CVE-2026-45357 harttle CVE debrief

Who should care

Developers and administrators using LiquidJS in their applications should be aware of this vulnerability and take steps to mitigate it. This includes updating to the latest version of LiquidJS and reviewing their application's configuration to ensure that memory and render limits are properly set.

Technical summary

The vulnerability is caused by the date filter's strftime implementation parsing width specifiers like %9999999d and forwarding the captured width unchecked into pad()/padStart(). This leads to unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, resulting in potential memory and render limit bypass. The memoryLimit and renderLimit options advertised as DoS controls are entirely bypassed.

Defensive priority

High

Recommended defensive actions

• Update to LiquidJS version 10.26.0 or later
• Review application configuration to ensure memory and render limits are properly set
• Monitor application performance and memory usage
• Implement additional security measures to prevent potential DoS attacks
• Review and update documentation to reflect changes to memory and render limits
• Consider implementing additional logging and monitoring to detect potential exploitation attempts

Evidence notes

The vulnerability was reported by an unknown source and fixed in version 10.26.0. The CVE record was published on June 17, 2026, and modified on June 18, 2026. The NVD detail page provides additional information on the vulnerability.

Official resources