Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

LiquidJS is a template engine that enforces a memory limit through a "memoryLimit" setting to prevent excessive resource usage. Prior to version 10.25.1 this limit can be fully bypassed by using reverse range expressions such as (100000000..1). When combined with a string‑flattening operation, the V8 engine throws a fatal error that crashes the Node.js process. The result is a complete denial of service caused by a single HTTP request.

Affected Systems

The vulnerability affects versions of LiquidJS supplied by harttle:liquidjs that are older than 10.25.1. All releases before that version are susceptible when the memoryLimit feature is enabled.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. EPSS is below one percent, implying low current exploitation activity; it is not listed in the CISA KEV catalog. The likely attack vector is remote, via a crafted HTTP request to an application that uses the vulnerable LiquidJS engine. An attacker can trigger the crash from the outside without local privileges, leading to service interruption.

Generated by OpenCVE AI on March 30, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiquidJS to version 10.25.1 or later.
  • If an upgrade is not immediately possible, consider removing or disabling LiquidJS usage from the application or restricting its inputs to prevent range expressions.
  • Verify that the "memoryLimit" setting is correctly configured and that no other code can manipulate it.
  • Apply any additional runtime isolation or error handling to prevent process termination from untrusted templates.

Generated by OpenCVE AI on March 30, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9r5m-9576-7f6x LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Liquidjs
Liquidjs liquidjs
CPEs cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*
Vendors & Products Liquidjs
Liquidjs liquidjs

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
Title LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
Weaknesses CWE-20
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Harttle Liquidjs
Liquidjs Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-28T02:08:05.711Z

Reserved: 2026-03-18T18:55:47.426Z

Link: CVE-2026-33285

cve-icon Vulnrichment

Updated: 2026-03-28T02:08:01.337Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T01:16:27.363

Modified: 2026-03-30T16:46:19.273

Link: CVE-2026-33285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:43Z

Weaknesses