CVE-2026-41311 Unknown Vendor CVE debrief

Who should care

Operators and developers using LiquidJS in Node.js applications, especially any service that renders user-supplied or tenant-supplied Liquid templates. Security teams should also review template submission paths and any build or preview systems that evaluate Liquid content.

Technical summary

The NVD record and GitHub advisory align on CWE-674 (Uncontrolled Recursion). In affected LiquidJS versions prior to 10.25.7, a circular block reference in {% layout %} and {% block %} can recurse indefinitely, eventually exhausting the JavaScript heap (described as around 4GB) and terminating the process with a fatal out-of-memory error. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting a network-reachable availability impact.

Defensive priority

High — the issue can be triggered by submitting a crafted template, and the result is process-level denial of service through memory exhaustion.

Recommended defensive actions

• Upgrade LiquidJS to version 10.25.7 or later.
• Inventory all applications and services that use LiquidJS, including preview, CMS, and build pipelines.
• Restrict who can submit or modify Liquid templates; treat untrusted templates as high risk.
• Add validation or policy checks to reject circular {% layout %}/{% block %} relationships before rendering.
• Run the renderer with process isolation and resource limits so a crash or memory spike is contained.
• Confirm deployed package versions and redeploy any pinned or vendored copies that still use a vulnerable release.

Evidence notes

The supplied official sources are consistent: the CVE description states the circular layout/block recursion issue and the fix in 10.25.7; the NVD record supplies the CVSS vector and CWE-674; the GitHub advisory, release tag v10.25.7, and commit e2311dfd6e82f73509308aa8a3a1fafc92e226f0 are the referenced remediation artifacts. The CVE was published and modified at 2026-05-09T04:16:21.913Z in the provided timeline.

Official resources