CVE-2026-33287
Received Received - Intake
Exponential Memory Amplification in LiquidJS replace_first Filter

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33287
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
liquidjs liquidjs to 10.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information about CVE-2026-33287 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-33287 is a vulnerability in LiquidJS, a JavaScript template engine, specifically in its `replace_first` filter. This filter uses JavaScript's native `String.prototype.replace()` method, which interprets the `$&` pattern as a backreference to the matched substring.

The vulnerability arises because LiquidJS only accounts for the input string's length when enforcing its memory limit, not the potentially much larger output string generated by repeated `$&` expansions. An attacker can exploit this by crafting a replacement string with multiple `$&` patterns, causing exponential memory amplificationβ€”up to 625,000 times the input sizeβ€”while staying within the memory limit budget.

This leads to excessive memory consumption and denial of service (DoS) by blocking the Node.js event loop and making the server unresponsive. The issue was patched in version 10.25.1 by changing the replacement logic to treat replacement strings literally, preventing `$&` from being interpreted as a backreference.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition on servers running vulnerable versions of LiquidJS. An attacker can remotely trigger exponential memory amplification by exploiting the `replace_first` filter with crafted input, leading to excessive memory usage.

The attack bypasses the memory limit enforcement in LiquidJS, causing the Node.js event loop to block and the server to become unresponsive. Legitimate user requests may experience significant latency or fail entirely due to resource exhaustion.

  • Denial of Service through memory exhaustion
  • Server unresponsiveness and increased latency
  • Remote exploitation without any privileges or user interaction
Detection Guidance

Detection of this vulnerability involves identifying usage of vulnerable LiquidJS versions (up to 10.24.x) that use the `replace_first` filter with replacement strings containing the `$&` pattern, which causes exponential memory amplification.

Since the vulnerability causes denial of service by excessive memory consumption and event loop blocking, monitoring for unusually high memory usage or latency in services using LiquidJS can be an indicator.

Specific commands to detect vulnerable versions or exploit attempts are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade LiquidJS to version 10.25.1 or later, where the vulnerability in the `replace_first` filter has been patched.

The patch changes the `replace_first` function to treat replacement strings literally, preventing the `$&` backreference expansion and thus stopping the exponential memory amplification.

Until the upgrade is applied, avoid using the `replace_first` filter with replacement strings containing `$&` or similar patterns that could trigger the amplification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart