Uncontrolled Recursion Affecting kibana-9.4-advanced package, versions <9.4.3-r0


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Social Trends
EPSS
0.38% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KIBANA94ADVANCED-17769135
  • published2 Jul 2026
  • disclosed9 May 2026

Introduced: 9 May 2026

CVE-2026-41311  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade Minimos:latest kibana-9.4-advanced to version 9.4.3-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kibana-9.4-advanced package and not the kibana-9.4-advanced package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.

CVSS Base Scores

version 3.1