Publication date of this article: June 22, 2026

Preface: Liquid[.]js (LiquidJS) is not a machine learning framework or artificial intelligence library; it is a JavaScript implementation of the Liquid template language. Liquid was originally created by Shopify for loading dynamic content on store pages. However, due to its widespread use in building web interfaces and handling automated processes, it has been combined with machine learning and artificial intelligence in several specific ways.

Background: In a typical web application, LiquidJS runs first to build the skeleton of the page, and JavaScript runs second to make that skeleton come alive.

1. Step 1 (Server): LiquidJS parses an HTML file, injects a user’s name from a database into a template, and outputs a flat HTML string.
2. Step 2 (Network): The server sends this flat HTML across the internet to the user’s device.
3. Step 3 (Browser): The browser displays the HTML and encounters a <script> tag. It then executes the JavaScript code to handle interactive menus or popups on that page.

The developer of LiquidJS included the regex purely to implement a built-in convenience filter called strip_html.

To do this lightweight operation quickly without adding heavy HTML parsing libraries, the developer used the exact regex alternation pattern.

/<script[\s\S]*?<\/script>|<style[\s\S]*?<\/style>|<[\s\S]*?>|<!–[\s\S]*?–>/g

Attackers can exploit the generic |<[\s\S]*?>| group using malformed attributes that regex cannot naturally handle.

Vulnerability details: Because LiquidJS runs directly on the Node.js backend of these cloud apps, the flawed regex becomes a critical threat vector. Node.js is single-threaded. When a backend server processes an unclosed string like <script<script… using that flawed regex, the CPU hits 100% trying to calculate the infinite backtracking possibilities. A single bad request can freeze the entire server thread for over 10 seconds, creating an easy, unauthenticated Denial of Service (DoS) exploit. This is so called Event Loop Blocking (ReDoS).

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-45617