What is GHSA-vq2f-vcc9-j8mv?

GHSA-vq2f-vcc9-j8mv is a security advisory published by GitHub Security Advisories with Medium severity. Python Liquid: Infinite loop when parsing malformed `{% case %}` tags

Which CVE IDs does GHSA-vq2f-vcc9-j8mv cover?

GHSA-vq2f-vcc9-j8mv covers the following CVE IDs: CVE-2026-55865. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-vq2f-vcc9-j8mv?

GHSA-vq2f-vcc9-j8mv affects 1 product, including: pip/python-liquid:\u003c 2.2.1.

GHSA-vq2f-vcc9-j8mvMedium

Python Liquid: Infinite loop when parsing malformed `{% case %}` tags

Vendor

GitHub Security Advisories

Published

June 19, 2026

Last Modified

June 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-55865 →

📋 Description

Impact

Given a malformed {% case %} tag without associated {% when %} or {% else %} block, and no terminating {% endcase %} tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service attack.

Patches

The issue is fixed in version 2.2.1 with the correction of the liquid.TokenStream.eof attribute. The kind and value of the special EOF token are now the same, so either can be tested against liquid.token.TOKEN_EOF.

Workarounds

Manually correct the definition of liquid.TokenStream.eof before parsing any templates.

import liquid
from liquid.token import TOKEN_EOF

liquid.stream.TokenStream.eof = liquid.Token(TOKEN_EOF, TOKEN_EOF, -1, "")

# ...

🎯 Affected products1

pip/python-liquid:< 2.2.1