Intel

AIKIDO-2026-127306

liquidjs is vulnerable to Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

53

Medium Risk

This Affects:

JSliquidjs
10.11.0 - 10.27.0
Fixed in 10.27.1
Are you affected? Scan for Free

TL;DR

The pop and sample array filters clone their input array without charging the cloned size against the configured memoryLimit, unlike sibling filters that account for the allocation. A template or data input that routes a large array through these filters triggers an O(N) allocation the memory guard never counts. This lets an attacker bypass the memoryLimit protection and drive memory consumption past the intended cap, degrading availability. The fix charges the full cloned array length to memoryLimit in both filters.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you set a memoryLimit while rendering attacker-influenced array data through the pop or sample filters.

Background info

liquidjs is vulnerable to Allocation of Resources Without Limits or Throttling in versions 10.11.0 - 10.27.0.

How to fix this

Upgrade the liquidjs library to the patch version.