Resource Exhaustion Affecting kibana-9.4-advanced package, versions <9.4.3-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.32% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KIBANA94ADVANCED-17772049
  • published2 Jul 2026
  • disclosed17 Jun 2026

Introduced: 17 Jun 2026

NewCVE-2026-44645  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade Minimos:latest kibana-9.4-advanced to version 9.4.3-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kibana-9.4-advanced package and not the kibana-9.4-advanced package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLimit option is documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call." The per-iteration time check is reached only when the body contains at least one template node, so a template such as {%- for i in (1..N) -%}{%- endfor -%} iterates the full collection without ever consulting renderLimit. With a configured renderLimit of 50 ms, a single parseAndRenderSync call has been observed to consume 2.26 seconds (~45× over the limit) and scales linearly with N up to memoryLimit, allowing a low-privileged template author to wedge an event-loop thread for an attacker-chosen duration. Deployments that rely on a finite renderLimit for DoS protection (common in multi-tenant template-authoring environments) can still be forced by a single crafted template to monopolize a Node.js event-loop worker for attacker-controlled time, potentially stalling in-flight requests, with availability impact only. This issue has been fixed in version 10.26.0.