CVE-2026-33285 Overview
LiquidJS is a Shopify and GitHub Pages compatible template engine in pure JavaScript. A critical security flaw was discovered in versions prior to 10.25.1 where the memoryLimit security mechanism can be completely bypassed using reverse range expressions. This input validation vulnerability allows attackers to allocate unlimited memory, and when combined with string flattening operations like the replace filter, causes a V8 Fatal error that crashes the Node.js process. This results in complete denial of service from a single HTTP request.
Critical Impact
A single malicious HTTP request can crash the entire Node.js process, causing complete denial of service for applications using vulnerable LiquidJS versions.
Affected Products
- LiquidJS versions prior to 10.25.1
- Node.js applications using vulnerable LiquidJS template engine
- Shopify/GitHub Pages compatible applications using LiquidJS
Discovery Timeline
- March 26, 2026 - CVE CVE-2026-33285 published to NVD
- March 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33285
Vulnerability Analysis
This vulnerability exploits a flaw in LiquidJS's memory limiting mechanism. The memoryLimit feature was designed to prevent resource exhaustion attacks, but it fails to properly validate reverse range expressions. When a user provides a range like (100000000..1) (counting backwards from 100 million to 1), the limiter's validation logic does not correctly account for the memory that will be consumed.
The root issue lies in how the use() and check() methods in the limiter handle count values. The original implementation used count = +count || 0, which would convert non-positive numbers to zero, effectively bypassing the memory check entirely for reverse ranges that evaluate to negative intermediate values.
When this memory allocation bypass is combined with a string flattening operation such as the replace filter, the V8 JavaScript engine encounters a fatal memory condition that cannot be recovered from, causing an immediate process termination.
Root Cause
The vulnerability stems from improper input validation (CWE-20) in the memory limiter utility. The limiter failed to properly handle edge cases where the count value could be negative or non-positive, allowing attackers to bypass memory limit checks entirely. The original code converted these values to zero using the || 0 fallback, which meant no memory was tracked for reverse range allocations.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without authentication. The attack requires no user interaction and can be executed with a single crafted HTTP request to any endpoint that processes LiquidJS templates with user-controlled input. The attacker simply needs to inject a reverse range expression followed by a string operation to trigger the fatal crash.
{{ (100000000..1) | join: "" | replace: "a", "b" }}
The above template expression creates a massive array through the reverse range, then attempts string operations that exceed V8's memory handling capabilities.
Detection Methods for CVE-2026-33285
Indicators of Compromise
- Sudden Node.js process crashes with V8 Fatal error messages
- Memory consumption spikes followed by immediate process termination
- HTTP requests containing suspicious range patterns like (large_number..small_number) in template inputs
- Application logs showing template rendering failures with memory-related errors
Detection Strategies
- Implement request logging to capture template expressions before processing
- Monitor for regex patterns matching reverse ranges: \(\d{6,}\.\.\d+\)
- Deploy Web Application Firewall (WAF) rules to detect and block malicious range expressions
- Enable Node.js memory profiling to detect unusual allocation patterns
Monitoring Recommendations
- Set up process monitoring to detect and alert on unexpected Node.js crashes
- Configure memory usage thresholds with alerting before critical levels
- Implement request payload inspection for template injection patterns
- Monitor application error rates for sudden spikes indicating DoS attempts
How to Mitigate CVE-2026-33285
Immediate Actions Required
- Upgrade LiquidJS to version 10.25.1 or later immediately
- If immediate upgrade is not possible, implement input validation to reject reverse range expressions
- Review and restrict user input that reaches template rendering functions
- Consider implementing rate limiting on endpoints that process templates
Patch Information
The vulnerability is patched in LiquidJS version 10.25.1. The fix modifies the Limiter class in src/util/limiter.ts to properly validate count values before tracking memory usage. The patched code now explicitly checks if the count is positive before applying memory limits:
use (count: number) {
if (+count > 0) {
assert(this.base + +count <= this.limit, this.message)
this.base += +count
}
}
check (count: number) {
if (+count > 0) {
assert(+count <= this.limit, this.message)
}
}
Source: GitHub Commit Update
For additional technical details, see the GitHub Security Advisory GHSA-9r5m-9576-7f6x.
Workarounds
- Implement server-side input sanitization to reject templates containing reverse ranges
- Deploy a reverse proxy or WAF with rules to filter suspicious template patterns
- Restrict template rendering to trusted input sources only until patching is complete
- Run LiquidJS template processing in isolated worker processes to limit crash impact
# Example: Update LiquidJS to patched version
npm update liquidjs@10.25.1
# Or install specific patched version
npm install liquidjs@^10.25.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
