CVE-2026-33285

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578	Patch
https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*

History

30 Mar 2026, 16:46

Type	Values Removed	Values Added
First Time		Liquidjs Liquidjs liquidjs
CPE		cpe:2.3:a:liquidjs:liquidjs::::::node.js::*
References	~~() https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578 -~~	() https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578 - Patch
References	~~() https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x -~~	() https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x - Exploit, Vendor Advisory

Information

Published : 2026-03-26 01:16

Updated : 2026-03-30 16:46

NVD link : CVE-2026-33285

Mitre link : CVE-2026-33285

CVE.ORG link : CVE-2026-33285

JSON object : View

Products Affected

liquidjs

liquidjs

CWE

CWE-20

Improper Input Validation

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2026-33285", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-26T01:16:27.363", "references": [{"url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}, {"lang": "es", "value": "LiquidJS es un motor de plantillas compatible con Shopify / GitHub Pages en JavaScript puro. Antes de la versi\u00f3n 10.25.1, el mecanismo de seguridad 'memoryLimit' de LiquidJS puede ser completamente eludido mediante el uso de expresiones de rango inverso (por ejemplo, '(100000000..1)'), permitiendo a un atacante asignar memoria ilimitada. Combinado con una operaci\u00f3n de aplanamiento de cadenas (por ejemplo, el filtro 'replace'), esto causa un error fatal de V8 que provoca la ca\u00edda del proceso de Node.js, resultando en una denegaci\u00f3n de servicio completa desde una \u00fanica solicitud HTTP. La versi\u00f3n 10.25.1 corrige el problema."}], "lastModified": "2026-03-30T16:46:19.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7E49E8C9-5FB9-40CA-BE2C-AC2B6553F472", "versionEndExcluding": "10.25.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}