CVE-2026-33285
Memory Limit Bypass in LiquidJS Causes Node.js DoS Crash
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liquidjs | liquidjs | to 10.25.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33285 is a high-severity vulnerability in LiquidJS, a JavaScript template engine. The issue arises because LiquidJS's memoryLimit security mechanism can be bypassed by using reverse range expressions, such as (100000000..1). Normally, LiquidJS tracks memory usage by calculating the size of ranges, but reverse ranges produce a large negative number that is not properly validated.
This negative value corrupts the internal memory counter, allowing attackers to bypass the memory limit and allocate unlimited memory. When combined with string operations like the replace filter, this causes the V8 JavaScript engine to attempt to flatten a very large string, triggering a fatal error that crashes the Node.js process.
The crash is immediate and cannot be caught by JavaScript error handlers, resulting in a complete denial of service from a single HTTP request that includes a crafted Liquid template.
How can this vulnerability impact me? :
This vulnerability can cause a complete denial of service on any Node.js service using LiquidJS with the vulnerable versions (β€ 10.24.x). An attacker can send a single crafted HTTP request containing malicious Liquid templates that bypass memory limits and crash the Node.js process.
The impact includes:
- Immediate and unrecoverable crash of the Node.js process.
- Termination of all in-flight requests and service downtime.
- Potential restart loops if automatic restart policies are in place, prolonging downtime.
- False sense of security for administrators relying on the memoryLimit feature.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected Node.js process crashes with exit code 133 (SIGTRAP), which indicates a fatal V8 error triggered by memory limit bypass in LiquidJS.
Detection can also involve inspecting HTTP requests to endpoints that render user-supplied Liquid templates for the presence of reverse range expressions such as `(100000000..1)` or multiple reverse ranges combined with string flattening operations like the `replace` filter.
Since the vulnerability is triggered by crafted Liquid templates, analyzing logs or traffic for templates containing reverse ranges and repeated string appends can help identify exploitation attempts.
Suggested commands to detect suspicious activity include:
- Check Node.js process exit codes and logs for fatal errors or crashes with exit code 133.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests and grep for suspicious Liquid template patterns like `(100000000..1)`.
- Search application logs for Liquid templates containing multiple reverse ranges and string operations such as `replace`.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LiquidJS to version 10.25.1 or later, where the memoryLimit bypass issue has been patched by validating that only positive counts affect memory usage.
If upgrading is not immediately possible, restrict or disable user-supplied Liquid template rendering, especially in publicly accessible endpoints, to prevent attackers from sending malicious templates.
Implement monitoring and alerting on Node.js process crashes with exit code 133 to detect exploitation attempts early.
Consider isolating the affected service in a container or environment where automatic restarts do not cause restart loops, as the vulnerability can cause repeated crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-33285 causes a complete denial of service by crashing the Node.js process through memory limit bypass and fatal errors. It does not impact confidentiality or integrity of data, as the CVSS score indicates no impact on these aspects (C:N/I:N).
Since the vulnerability leads to availability issues only, it may affect compliance with standards and regulations that require high availability and service continuity, such as HIPAA's requirements for system availability and GDPR's requirements for data processing availability.
However, there is no direct indication from the provided information that this vulnerability causes data breaches or unauthorized data access, so its impact on compliance is primarily related to potential service disruption rather than data protection failures.