High severityNVD Advisory· Published Mar 26, 2026· Updated Mar 28, 2026
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
CVE-2026-33285
Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., replace filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
liquidjsnpm | <= 10.24.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9r5m-9576-7f6xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33285ghsaADVISORY
- github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578ghsax_refsource_MISCWEB
- github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.