CVE-2026-45617

HIGHPre-NVD 7.57.5

7.5

LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in strip_html Filter Regex

Summary

The built-in strip_html filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many ||<.*?>|/g, '') }

The regex contains four lazy patterns:


<.*?>

<!--[\s\S]*?-->
For an input like ' {
  for (const n of [1000, 2000, 4000, 8000, 16000]) {
    const payload = ' {
  const payload = ')[^<]*)*<\/script>|)[^<]*)*<\/style>|<!--[^-]*(?:-(?!->)[^-]*)*-->|<[^>]*>/g,
  ''
)

This unrolls each lazy quantifier so each < is visited at most a constant number of times overall — linear total work.

Option 2 — single-pass tokenizer in plain code; iterate over the string once, tracking whether you are inside `, , comment, or generic tag, and emit nothing for those ranges.

Either fix should be combined with charging the regex output cost honestly to memoryLimit` and (defensively) capping input length up front:

export function strip_html (this: FilterImpl, v: string) {
  const str = stringify(v)
  this.context.memoryLimit.use(str.length)
  // ... linear-time strip implementation here
}

CVSS v3: 7.5
EG Score: 7.5(low)
EPSS: —
KEV: Not listed

Published

May 27, 2026

Last Modified

May 27, 2026

Vendor Advisories for CVE-2026-45617(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-r7g9-xpmj-5fcq
GitHub Security AdvisoriesHigh
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-27 18:35 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-45617?

CVE-2026-45617 is a high vulnerability published on May 27, 2026. LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in strip_html Filter Regex Summary The built-in striphtml filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex…

When was CVE-2026-45617 disclosed?

CVE-2026-45617 was first published in the National Vulnerability Database on May 27, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

What is the CVSS score of CVE-2026-45617?

CVE-2026-45617 has a CVSS v3 base score of 7.5 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-45617?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45617, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45617

Explore →

Is Your Infrastructure Affected by CVE-2026-45617?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-45617

Summary

📅 Published

🔄 Last Modified

📣 Vendor Advisories for CVE-2026-45617(1)