CVE-2026-33287

LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

Assigner: GitHub_M
Reserved: 18.03.2026 Published: 26.03.2026 Updated: 26.03.2026

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the replace_first filter in LiquidJS uses JavaScript's String.prototype.replace() which interprets $& as a back reference to the matched substring. The filter only charges memoryLimit for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the memoryLimit budget, leading to denial of service. Version 10.25.1 patches the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	harttle
Product	liquidjs
Versions	Version < 10.25.1 is affected

Vendor

harttle

Product

liquidjs

Versions

Version < 10.25.1 is affected

References

Problem Types

CWE-20: Improper Input Validation CWE
CWE-400: Uncontrolled Resource Consumption CWE

CVE-2026-33287 PUBLISHED

LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

Metrics

Product Status

References

Problem Types