### Impact Given a malformed `{% case %}` tag without associated `{% when %}` or `{% else %}` block, and no terminating `{% endcase %}` tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service attack. ### Patches The issue is fixed in version 2.2.1 with the correction of the `liquid.TokenStream.eof` attribute. The `kind` and `value` of the special EOF token are now the same, so either can be tested against `liquid.token.TOKEN_EOF`. ### Workarounds Manually correct the definition of `liquid.TokenStream.eof` before parsing any templates. ```python import liquid from liquid.token import TOKEN_EOF liquid.stream.TokenStream.eof = liquid.Token(TOKEN_EOF, TOKEN_EOF, -1, "") # ... ```
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free