LiquidJS Denial-of-Service Vulnerability via Circular Block References

A denial-of-service vulnerability has been identified in LiquidJS, a template engine compatible with Shopify and GitHub Pages. The issue arises in versions prior to 10.25.7, where a circular block reference in the layout and block tags creates an infinite recursive loop. This loop consumes all available memory, approximately 4GB, leading to a crash of the Node.js process due to a 'heap out of memory' error. The vulnerability can be exploited by any user who can submit a Liquid template, causing a complete service disruption.

Impact

Exploitation of this vulnerability causes the Node.js process to run out of memory and crash, disrupting all services running under that process.

Reproduction

To reproduce this vulnerability, create a layout file that defines several blocks. Then, create a template that uses this layout and includes nested blocks with the same name. When the template is rendered, the process will hang as it consumes memory, eventually leading to a crash. This vulnerability can also be reproduced with anonymous blocks.

Remediation

Users can upgrade to LiquidJS version 10.25.7 or later, where this vulnerability has been patched.