LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., replace filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LiquidJS template engine's memoryLimit can be bypassed using reverse range expressions, allowing unlimited memory allocation and process crash via a single HTTP request.
Vulnerability
Overview
LiquidJS, a Shopify/GitHub Pages compatible template engine, contains a flaw in its memoryLimit security mechanism. The root cause lies in the evalRangeToken function, which computes memory usage for range expressions as high - low + 1. For reverse ranges where low > high (e.g., (100000000..1)), this yields a negative value. The Limiter.use() method does not validate that the count is non-negative, so it adds the negative value to an internal counter, causing it to go negative. This allows subsequent legitimate memory allocations to bypass the configured limit [1][4].
Exploitation
An attacker can exploit this by submitting a template containing a reverse range expression (e.g., (100000000..1)) combined with a string flattening operation such as the replace filter. The negative counter effectively disables the memory limit, enabling unlimited memory allocation. When combined with V8's cons-string optimization (which builds a tree of string fragments without copying), a subsequent flattening operation (like replace) forces V8 to allocate a contiguous buffer, leading to a fatal error and process crash [1].
Impact
Successful exploitation results in a complete denial of service (DoS) from a single HTTP request. The Node.js process crashes due to a V8 fatal error, affecting all users of the application until the process is restarted. No authentication is required if the template engine is exposed to user input [1][2].
Mitigation
The vulnerability is patched in LiquidJS version 10.25.1. The fix adds a check in Limiter.use() to only process positive counts, preventing the counter from going negative [4]. Users should upgrade immediately. No workarounds are documented; restricting access to template rendering endpoints can reduce risk but does not eliminate it.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
liquidjsnpm | <= 10.24.0 | — |
Affected products
2- harttle/liquidjsv5Range: < 10.25.1
Patches
195ddefc056a1fix: mem limiter for invalid ranges
1 file changed · +7 −5
src/util/limiter.ts+7 −5 modified@@ -9,12 +9,14 @@ export class Limiter { this.limit = limit } use (count: number) { - count = +count || 0 - assert(this.base + count <= this.limit, this.message) - this.base += count + if (+count > 0) { + assert(this.base + +count <= this.limit, this.message) + this.base += +count + } } check (count: number) { - count = +count || 0 - assert(count <= this.limit, this.message) + if (+count > 0) { + assert(+count <= this.limit, this.message) + } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-9r5m-9576-7f6xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33285ghsaADVISORY
- github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578ghsax_refsource_MISCWEB
- github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.