CVE-2026-33287 Overview
CVE-2026-33287 is a memory amplification vulnerability in LiquidJS, a Shopify and GitHub Pages compatible template engine implemented in pure JavaScript. Prior to version 10.25.1, the replace_first filter in LiquidJS uses JavaScript's String.prototype.replace() which interprets $& as a back reference to the matched substring. The filter only charges memoryLimit for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the memoryLimit budget, leading to denial of service.
Critical Impact
This vulnerability enables attackers to trigger severe memory exhaustion through a 625,000:1 amplification ratio, potentially crashing applications or servers that process user-controlled Liquid templates.
Affected Products
- LiquidJS versions prior to 10.25.1
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33287 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33287
Vulnerability Analysis
This vulnerability is classified as CWE-20 (Improper Input Validation) and represents a resource exhaustion attack through memory amplification. The core issue lies in how the replace_first filter handles special replacement patterns in JavaScript's string replacement functionality.
When using String.prototype.replace() in JavaScript, the replacement string can contain special patterns like $& which references the entire matched substring. The LiquidJS replace_first filter fails to account for this behavior when calculating memory consumption against the configured memoryLimit.
The vulnerability allows an attacker to craft a malicious template that passes the memory limit checks but generates output exponentially larger than the input. With a documented amplification ratio of up to 625,000:1, even a small input string can consume gigabytes of memory, leading to application crashes, out-of-memory conditions, or server-wide denial of service.
Root Cause
The root cause is a discrepancy between the memory accounting mechanism and the actual memory consumed during string replacement operations. The memoryLimit protection calculates memory usage based on the input string length without considering that JavaScript's replacement patterns (specifically $& back references) can multiply the output size exponentially. This improper validation of the output size creates an exploitable gap in the resource limiting mechanism.
Attack Vector
The attack is network-accessible with no authentication required. An attacker can submit a specially crafted Liquid template containing the replace_first filter with malicious replacement patterns. When the server processes this template, the memory amplification bypasses the configured limits and exhausts available system memory.
The attack requires no user interaction and targets the availability of the affected system. Applications that allow user-provided templates or process untrusted Liquid content are particularly vulnerable to this denial of service attack.
Detection Methods for CVE-2026-33287
Indicators of Compromise
- Unusual memory consumption spikes during template processing operations
- Application crashes with out-of-memory errors when processing Liquid templates
- Presence of replace_first filters with $& patterns in submitted templates
- Repeated template processing requests from single sources targeting memory limits
Detection Strategies
- Monitor memory usage patterns during LiquidJS template rendering operations
- Implement logging for templates containing replace_first filters with potential back reference patterns
- Set up alerting for sudden memory allocation increases in Node.js applications using LiquidJS
- Review application logs for repeated template processing failures or timeouts
Monitoring Recommendations
- Establish baseline memory consumption metrics for template processing operations
- Configure memory usage alerts at 70% and 90% thresholds for early detection
- Monitor for anomalous request patterns targeting template rendering endpoints
- Track the ratio of input size to processing time and memory consumption
How to Mitigate CVE-2026-33287
Immediate Actions Required
- Upgrade LiquidJS to version 10.25.1 or later immediately
- Audit applications for user-controllable template processing functionality
- Implement additional input validation for template content before processing
- Consider temporary rate limiting on template rendering endpoints
Patch Information
The vulnerability is resolved in LiquidJS version 10.25.1. The patch corrects the memory accounting to include the amplified output size when calculating against the memoryLimit. For technical details on the fix, refer to the GitHub Commit and the GitHub Security Advisory GHSA-6q5m-63h6-5x4v.
Workarounds
- Reduce the configured memoryLimit to minimize potential impact if upgrading is not immediately possible
- Implement application-level monitoring to terminate long-running template operations
- Restrict or sanitize user-provided template content, especially patterns containing $ characters
- Deploy process isolation or containerization to limit the blast radius of memory exhaustion attacks
# Update LiquidJS to patched version
npm update liquidjs@10.25.1
# Verify installed version
npm list liquidjs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
