CVE-2026-34166 Overview
CVE-2026-34166 is a Resource Exhaustion vulnerability in LiquidJS, a Shopify and GitHub Pages compatible template engine written in pure JavaScript. Prior to version 10.25.3, the replace filter incorrectly accounts for memory usage when the memoryLimit option is enabled, allowing attackers who control template content to bypass DoS protections and potentially cause out-of-memory conditions.
Critical Impact
Attackers controlling template content can bypass memory limit protections with approximately 2,500x amplification, potentially causing denial of service through memory exhaustion.
Affected Products
- LiquidJS versions prior to 10.25.3
- Applications using LiquidJS with memoryLimit option enabled
- Shopify/GitHub Pages compatible implementations using vulnerable LiquidJS versions
Discovery Timeline
- April 8, 2026 - CVE-2026-34166 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34166
Vulnerability Analysis
The vulnerability exists in the replace filter implementation within LiquidJS. The filter incorrectly calculates memory consumption by charging only str.length + pattern.length + replacement.length bytes to the memory limiter. However, the actual output generated by str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times within the input string.
This miscalculation creates a significant amplification opportunity. When an attacker crafts a template with a string containing many occurrences of a short pattern and specifies a longer replacement string, the resulting output consumes far more memory than what was charged to the limiter. The research indicates this can result in approximately 2,500x memory amplification, effectively bypassing the memoryLimit DoS protection mechanism entirely.
Root Cause
The root cause is an improper memory accounting calculation in the string replace filter (CWE-400: Uncontrolled Resource Consumption). The original implementation failed to account for the multiplicative effect of pattern occurrences when calculating the output size. Instead of computing the actual output size based on the number of pattern matches and the difference between replacement and pattern lengths, it used a simplified linear calculation that drastically underestimated memory usage.
Attack Vector
This vulnerability is exploitable over the network by attackers who can control template content processed by LiquidJS. The attack requires crafting a malicious template that uses the replace filter with:
- An input string containing many repeated occurrences of a short pattern
- A replacement string significantly longer than the pattern
- The combination results in output that exceeds the intended memory limit while staying within the incorrectly calculated budget
The following patch addresses the vulnerability by correctly calculating the output size:
const str = stringify(v)
pattern = stringify(pattern)
replacement = stringify(replacement)
- this.context.memoryLimit.use(str.length + pattern.length + replacement.length)
- return str.split(pattern).join(replacement)
+ const parts = str.split(pattern)
+ const outputSize = str.length + (parts.length - 1) * (replacement.length - pattern.length)
+ this.context.memoryLimit.use(outputSize)
+ return parts.join(replacement)
}
export function replace_first (this: FilterImpl, v: string, arg1: string, arg2: string) {
Source: GitHub Commit
Detection Methods for CVE-2026-34166
Indicators of Compromise
- Unusual memory consumption spikes in Node.js applications using LiquidJS
- Out-of-memory errors or application crashes during template rendering
- Template inputs containing strings with highly repetitive patterns combined with replace filter usage
- Process terminations due to memory limits being exceeded at the OS or container level
Detection Strategies
- Monitor memory usage patterns in applications processing user-controlled templates
- Implement application-level logging for template rendering operations that exceed normal memory thresholds
- Audit template inputs for suspicious patterns involving repetitive strings with replace filters
- Use runtime memory profiling to identify abnormal allocation patterns during template processing
Monitoring Recommendations
- Set up alerting for memory usage anomalies in LiquidJS-powered applications
- Implement request-level memory tracking for template rendering endpoints
- Monitor for repeated out-of-memory conditions that may indicate exploitation attempts
- Track template complexity metrics to identify potentially malicious inputs
How to Mitigate CVE-2026-34166
Immediate Actions Required
- Upgrade LiquidJS to version 10.25.3 or later immediately
- Review application logs for signs of memory exhaustion attacks
- Implement additional application-level memory limits as a defense-in-depth measure
- Restrict or sanitize user-controlled template content where possible
Patch Information
The vulnerability is fixed in LiquidJS version 10.25.3. The fix correctly calculates the output size by computing the actual memory that will be consumed based on the number of pattern occurrences and the size difference between the replacement and pattern strings. The patch is available via the GitHub Release v10.25.3 and detailed in the GitHub Security Advisory GHSA-mmg9-6m6j-jqqx.
Workarounds
- Implement strict input validation on template content before processing
- Deploy additional process-level memory limits using container orchestration or OS-level controls
- Disable user-controlled templates if not strictly required by business logic
- Consider implementing template complexity analysis to reject potentially malicious inputs
# Update LiquidJS to the patched version
npm update liquidjs@10.25.3
# Or install specifically
npm install liquidjs@^10.25.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
