CVE-2026-33285

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.25.1

Description LiquidJS’s memoryLimit security feature can be bypassed using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. When combined with a string flattening operation (e.g., the replace filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in a denial of service from a single HTTP request. The attack payload is approximately 400 bytes. The vulnerability occurs because the Limiter.use() method does not validate that the count parameter is non-negative, allowing a negative value to be added to the internal counter. This allows subsequent memory allocations to bypass the configured memoryLimit. A cons-string flattening operation then triggers the V8 Fatal error. The issue can be exploited if an attacker can control Liquid template source code.

Recommendations Versions prior to 10.25.1 should be updated to version 10.25.1 or later.