CVE-2026-33285
Received Received - Intake
Memory Limit Bypass in LiquidJS Causes Node.js DoS Crash

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33285
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
liquidjs liquidjs to 10.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability described in CVE-2026-33285 causes a complete denial of service by crashing the Node.js process through memory limit bypass and fatal errors. It does not impact confidentiality or integrity of data, as the CVSS score indicates no impact on these aspects (C:N/I:N).

Since the vulnerability leads to availability issues only, it may affect compliance with standards and regulations that require high availability and service continuity, such as HIPAA's requirements for system availability and GDPR's requirements for data processing availability.

However, there is no direct indication from the provided information that this vulnerability causes data breaches or unauthorized data access, so its impact on compliance is primarily related to potential service disruption rather than data protection failures.

Executive Summary

CVE-2026-33285 is a high-severity vulnerability in LiquidJS, a JavaScript template engine. The issue arises because LiquidJS's memoryLimit security mechanism can be bypassed by using reverse range expressions, such as (100000000..1). Normally, LiquidJS tracks memory usage by calculating the size of ranges, but reverse ranges produce a large negative number that is not properly validated.

This negative value corrupts the internal memory counter, allowing attackers to bypass the memory limit and allocate unlimited memory. When combined with string operations like the replace filter, this causes the V8 JavaScript engine to attempt to flatten a very large string, triggering a fatal error that crashes the Node.js process.

The crash is immediate and cannot be caught by JavaScript error handlers, resulting in a complete denial of service from a single HTTP request that includes a crafted Liquid template.

Impact Analysis

This vulnerability can cause a complete denial of service on any Node.js service using LiquidJS with the vulnerable versions (≀ 10.24.x). An attacker can send a single crafted HTTP request containing malicious Liquid templates that bypass memory limits and crash the Node.js process.

The impact includes:

  • Immediate and unrecoverable crash of the Node.js process.
  • Termination of all in-flight requests and service downtime.
  • Potential restart loops if automatic restart policies are in place, prolonging downtime.
  • False sense of security for administrators relying on the memoryLimit feature.
Detection Guidance

This vulnerability can be detected by monitoring for unexpected Node.js process crashes with exit code 133 (SIGTRAP), which indicates a fatal V8 error triggered by memory limit bypass in LiquidJS.

Detection can also involve inspecting HTTP requests to endpoints that render user-supplied Liquid templates for the presence of reverse range expressions such as `(100000000..1)` or multiple reverse ranges combined with string flattening operations like the `replace` filter.

Since the vulnerability is triggered by crafted Liquid templates, analyzing logs or traffic for templates containing reverse ranges and repeated string appends can help identify exploitation attempts.

Suggested commands to detect suspicious activity include:

  • Check Node.js process exit codes and logs for fatal errors or crashes with exit code 133.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests and grep for suspicious Liquid template patterns like `(100000000..1)`.
  • Search application logs for Liquid templates containing multiple reverse ranges and string operations such as `replace`.
Mitigation Strategies

The immediate mitigation step is to upgrade LiquidJS to version 10.25.1 or later, where the memoryLimit bypass issue has been patched by validating that only positive counts affect memory usage.

If upgrading is not immediately possible, restrict or disable user-supplied Liquid template rendering, especially in publicly accessible endpoints, to prevent attackers from sending malicious templates.

Implement monitoring and alerting on Node.js process crashes with exit code 133 to detect exploitation attempts early.

Consider isolating the affected service in a container or environment where automatic restarts do not cause restart loops, as the vulnerability can cause repeated crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33285. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart