liquidjs is vulnerable to Allocation of Resources Without Limits or Throttling
53
Medium Risk
The pop and sample array filters clone their input array without charging the cloned size against the configured memoryLimit, unlike sibling filters that account for the allocation. A template or data input that routes a large array through these filters triggers an O(N) allocation the memory guard never counts. This lets an attacker bypass the memoryLimit protection and drive memory consumption past the intended cap, degrading availability. The fix charges the full cloned array length to memoryLimit in both filters.
You are affected if you are using a version that falls within the vulnerable range and you set a memoryLimit while rendering attacker-influenced array data through the pop or sample filters.
liquidjs is vulnerable to Allocation of Resources Without Limits or Throttling in versions 10.11.0 - 10.27.0.
Upgrade the liquidjs library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant