CVE-2026-45357: CWE-400: Uncontrolled Resource Consumption in harttle liquidjs
CVE-2026-45357 is a high-severity vulnerability in harttle liquidjs, a JavaScript template engine. Versions 10.25.7 and below have an uncontrolled resource consumption issue in the date filter's strftime implementation. Specifically, large width specifiers like %9999999d cause unbounded string padding operations that bypass documented memory and render limits. This can lead to excessive memory use, high CPU consumption, or out-of-memory crashes during template rendering. The issue is fixed in version 10.26.0.
AI Analysis
Technical Summary
In harttle liquidjs versions 10.25.7 and earlier, the date filter's strftime implementation improperly handles large width specifiers (e.g., %9999999d), forwarding unchecked values to string padding functions. The pad loop in src/util/underscore.ts performs unbounded string concatenation without enforcing the Context's memoryLimit or renderLimit, which are intended as denial-of-service protections. As a result, a crafted template can produce megabytes of output and consume excessive CPU, bypassing the advertised resource limits. This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and has been addressed in version 10.26.0.
Potential Impact
Exploitation of this vulnerability can cause large memory allocations, high CPU usage, and potentially out-of-memory crashes during template rendering. This can lead to denial-of-service conditions affecting applications using vulnerable versions of liquidjs.
Mitigation Recommendations
Upgrade to harttle liquidjs version 10.26.0 or later, where this vulnerability is fixed. No other mitigations are documented. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the fix is included in version 10.26.0.
CVE-2026-45357: CWE-400: Uncontrolled Resource Consumption in harttle liquidjs
Description
CVE-2026-45357 is a high-severity vulnerability in harttle liquidjs, a JavaScript template engine. Versions 10.25.7 and below have an uncontrolled resource consumption issue in the date filter's strftime implementation. Specifically, large width specifiers like %9999999d cause unbounded string padding operations that bypass documented memory and render limits. This can lead to excessive memory use, high CPU consumption, or out-of-memory crashes during template rendering. The issue is fixed in version 10.26.0.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In harttle liquidjs versions 10.25.7 and earlier, the date filter's strftime implementation improperly handles large width specifiers (e.g., %9999999d), forwarding unchecked values to string padding functions. The pad loop in src/util/underscore.ts performs unbounded string concatenation without enforcing the Context's memoryLimit or renderLimit, which are intended as denial-of-service protections. As a result, a crafted template can produce megabytes of output and consume excessive CPU, bypassing the advertised resource limits. This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and has been addressed in version 10.26.0.
Potential Impact
Exploitation of this vulnerability can cause large memory allocations, high CPU usage, and potentially out-of-memory crashes during template rendering. This can lead to denial-of-service conditions affecting applications using vulnerable versions of liquidjs.
Mitigation Recommendations
Upgrade to harttle liquidjs version 10.26.0 or later, where this vulnerability is fixed. No other mitigations are documented. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the fix is included in version 10.26.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T21:40:08.179Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a332ba8f198dc38c12b61b5
Added to database: 6/17/2026, 11:20:08 PM
Last enriched: 6/17/2026, 11:34:57 PM
Last updated: 6/18/2026, 12:23:13 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.