CVE-2026-33287
Exponential Memory Amplification in LiquidJS replace_first Filter
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liquidjs | liquidjs | to 10.25.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33287 is a vulnerability in LiquidJS, a JavaScript template engine, specifically in its `replace_first` filter. This filter uses JavaScript's native `String.prototype.replace()` method, which interprets the `$&` pattern as a backreference to the matched substring.
The vulnerability arises because LiquidJS only accounts for the input string's length when enforcing its memory limit, not the potentially much larger output string generated by repeated `$&` expansions. An attacker can exploit this by crafting a replacement string with multiple `$&` patterns, causing exponential memory amplificationβup to 625,000 times the input sizeβwhile staying within the memory limit budget.
This leads to excessive memory consumption and denial of service (DoS) by blocking the Node.js event loop and making the server unresponsive. The issue was patched in version 10.25.1 by changing the replacement logic to treat replacement strings literally, preventing `$&` from being interpreted as a backreference.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition on servers running vulnerable versions of LiquidJS. An attacker can remotely trigger exponential memory amplification by exploiting the `replace_first` filter with crafted input, leading to excessive memory usage.
The attack bypasses the memory limit enforcement in LiquidJS, causing the Node.js event loop to block and the server to become unresponsive. Legitimate user requests may experience significant latency or fail entirely due to resource exhaustion.
- Denial of Service through memory exhaustion
- Server unresponsiveness and increased latency
- Remote exploitation without any privileges or user interaction
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying usage of vulnerable LiquidJS versions (up to 10.24.x) that use the `replace_first` filter with replacement strings containing the `$&` pattern, which causes exponential memory amplification.
Since the vulnerability causes denial of service by excessive memory consumption and event loop blocking, monitoring for unusually high memory usage or latency in services using LiquidJS can be an indicator.
Specific commands to detect vulnerable versions or exploit attempts are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LiquidJS to version 10.25.1 or later, where the vulnerability in the `replace_first` filter has been patched.
The patch changes the `replace_first` function to treat replacement strings literally, preventing the `$&` backreference expansion and thus stopping the exponential memory amplification.
Until the upgrade is applied, avoid using the `replace_first` filter with replacement strings containing `$&` or similar patterns that could trigger the amplification.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information about CVE-2026-33287 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.