PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55575 harttle CVE debrief

CVE-2026-55575 is a high-severity vulnerability in LiquidJS, a JavaScript template engine. The pop array filter could allocate an O(N) clone of an attacker-influenced array outside the configured memoryLimit budget, potentially leading to memory exhaustion attacks. Developers and administrators using LiquidJS in their applications, especially those with high-traffic or large input data, should prioritize patching to prevent potential memory exhaustion attacks.

Vendor
harttle
Product
liquidjs
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Developers and administrators using LiquidJS in their applications, especially those with high-traffic or large input data, should prioritize patching to prevent potential memory exhaustion attacks. Operators, platform administrators, vulnerability management teams, and security teams should review the affected scope and severity with the official CVE record and vendor guidance.

Technical summary

In LiquidJS versions prior to 10.27.1, the pop array filter at src/filters/array.ts allocated a full clone of its input array via [...toArray(v)] without calling this.context.memoryLimit.use(...). This allowed a template render such as {{ huge_array | pop }} to allocate an O(N) clone of an attacker-influenced array outside the configured memoryLimit budget. The issue is fixed in version 10.27.1. Affected product deployments should be reviewed, and compensating controls should be considered while remediation is scheduled and verified.

Defensive priority

High priority should be given to patching LiquidJS to version 10.27.1 or later to prevent potential memory exhaustion attacks. Additional security measures such as input validation and sanitization should be considered to mitigate the vulnerability. Monitoring for suspicious template rendering activity is also recommended to detect potential exploitation attempts. Compensating controls for exposed systems should be reviewed while remediation is scheduled and verified. Asset inventory and rollback/change windows should be tracked to ensure timely remediation and minimize potential impact. Source tracking and exposure review should also be performed to ensure that all affected systems are accounted for and remediated. The vulnerability should be reviewed in the context of existing security controls and risk management strategies to ensure effective mitigation.

Recommended defensive actions

  • Patch LiquidJS to version 10.27.1 or later
  • Review and adjust memoryLimit configurations as needed
  • Monitor for suspicious template rendering activity
  • Consider implementing additional security measures such as input validation and sanitization
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track asset inventory and rollback/change windows to ensure timely remediation and minimize potential impact
  • Perform source tracking and exposure review to ensure that all affected systems are accounted for and remediated

Evidence notes

The CVE record was published on 2026-07-08T20:16:53.137Z and was last modified on 2026-07-10T19:06:45.623Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official CVE record and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:53.137Z and has not been modified since then. The NVD entry is currently Deferred.