Resource Exhaustion Affecting kibana-9.4 package, versions *

Note: Versions mentioned in the description apply only to the upstream kibana-9.4 package and not the kibana-9.4 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call." The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0.

• https://www.cve.org/CVERecord?id=CVE-2026-44645
• https://github.com/advisories/GHSA-8xx9-69p8-7jp3
• https://osv.dev/vulnerability/MINI-27x5-pmx5-f9q3
• https://osv.dev/vulnerability/CVE-2026-44645
• https://github.com/harttle/liquidjs/commit/5b9c3469085e01c79e2d0af28e2a13f730e1793d
• https://github.com/harttle/liquidjs/releases/tag/v10.26.0
• https://github.com/harttle/liquidjs/security/advisories/GHSA-8xx9-69p8-7jp3