CVE-2026-55865 in liquidinfo

Summary

by MITRE • 07/10/2026

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.1, given a malformed {% case %} tag without an associated {% when %} or {% else %} block and no terminating {% endcase %} tag, Python Liquid hangs in an infinite loop at parse time because liquid.TokenStream.eof did not give the EOF token matching kind and value fields, allowing malicious template authors to craft templates for a denial of service attack. This issue is fixed in version 2.2.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in Python Liquid stems from a critical flaw in the template parsing mechanism that affects versions prior to 2.2.1. This issue manifests when processing malformed {% case %} tags that lack proper termination sequences including associated {% when %} or {% else %} blocks and the essential {% endcase %} closing tag. The root cause lies within the liquid.TokenStream.eof implementation which fails to properly recognize and handle EOF tokens that match both their kind and value fields. This parsing deficiency creates a condition where the parser enters an infinite loop during template compilation, effectively causing a denial of service scenario that can be exploited by malicious template authors.

The technical implementation flaw represents a classic example of improper input validation and state management in parsing systems. When the parser encounters a malformed case statement without proper termination, it continuously attempts to process tokens without recognizing the end-of-file condition, leading to unbounded execution cycles. This vulnerability specifically impacts the liquid.TokenStream class which is responsible for tokenizing and managing template content during parsing operations. The absence of proper EOF token matching allows the parser to remain in a perpetual state of token consumption, making it impossible for the system to complete template compilation.

From an operational perspective, this vulnerability presents a significant security risk that can be exploited by attackers who have the ability to inject or modify templates within systems using Python Liquid. The denial of service impact is severe as it can cause complete system unresponsiveness during template processing, potentially affecting all users of the application until the parsing issue is resolved. This type of vulnerability aligns with CWE-835 which addresses infinite loops in software implementations and represents a common class of flaws found in parsing and tokenization systems where end-of-input conditions are not properly handled.

The exploitability of this vulnerability is enhanced by the fact that it can be triggered through template content manipulation, making it particularly dangerous in environments where user-generated templates are processed. Attackers can craft malicious templates containing malformed case statements to consume system resources indefinitely, leading to service disruption and potential resource exhaustion attacks. This scenario demonstrates a clear pathway from code execution to denial of service as outlined in the ATT&CK framework under T1499 which covers network denial of service attacks.

Mitigation strategies should focus on immediate deployment of Python Liquid version 2.2.1 or later, which contains the necessary fixes for proper EOF token handling and termination condition detection. Organizations should also implement input validation controls to sanitize template content and consider rate limiting mechanisms for template processing operations. Additionally, monitoring systems should be configured to detect unusual parsing behavior that might indicate exploitation attempts. The fix addresses the core issue by ensuring that liquid.TokenStream.eof properly identifies and handles EOF tokens with correct matching of both kind and value fields, thereby preventing the infinite loop condition that previously allowed denial of service attacks.

This vulnerability exemplifies the importance of proper resource management in template engines and parsing systems where malformed input can lead to catastrophic behavior. The implementation of robust error handling and termination conditions is essential for maintaining system stability and security. Organizations relying on Python Liquid or similar template processing libraries should conduct thorough testing to ensure that all parsing edge cases are properly handled, particularly those involving incomplete or malformed control structures that could lead to resource exhaustion attacks.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!