CVE-2026-34166

Name of the Vulnerable Software and Affected Versions: LiquidJS versions prior to 10.25.3

Description: LiquidJS is a template engine. A flaw exists in the 'replace' filter when the 'memoryLimit' option is enabled. The memory usage calculation incorrectly accounts for the size of the output string, potentially allowing an attacker to bypass the memory limit DoS protection with approximately 2,500x amplification. This can lead to out-of-memory conditions. The vulnerability is related to the replace filter in src/filters/string.ts:137-142. The issue arises because the memoryLimit.use() function only considers the input lengths, while the str.split(pattern).join(replacement) operation can produce a significantly larger output. The Limiter class at src/util/limiter.ts:3-22 only checks memory usage at the time of the use() call and does not validate actual memory allocation. This impacts deployments that explicitly enable memory limiting to protect against untrusted template input. An attacker controlling template content can exploit this to cause Node.js process crashes, denial of service for other users, or resource exhaustion.

Recommendations: Update to LiquidJS version 10.25.3 or later. As a temporary workaround, avoid using the 'replace' filter with untrusted template content when the 'memoryLimit' option is enabled.