CVE-2026-33285
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., replace filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| harttle | liquidjs | < 10.25.1 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-400: CWE-400: Uncontrolled Resource Consumption
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x
- https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.