CVE-2026-34166
Memory Limit Bypass DoS in LiquidJS replace Filter
Publication date: 2026-04-08
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liquidjs | liquidjs | to 10.25.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34166 is a vulnerability in LiquidJS, a JavaScript template engine. The issue occurs in the replace filter when the memoryLimit option is enabled. The filter incorrectly calculates memory usage by summing the lengths of the input string, the pattern to be replaced, and the replacement string. However, the actual output after replacement can be much largerβquadratically largerβif the pattern occurs many times in the input string.
This miscalculation allows an attacker who controls the template content to bypass the memory limit protection by approximately 2,500 times, potentially causing out-of-memory conditions and denial of service. The vulnerability is fixed in version 10.25.3 by accurately calculating the expected output size based on the number of replacements and the difference in length between the replacement and the pattern.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker who can control template content to bypass memory limits set during template rendering. This can lead to excessive memory consumptionβup to 2,500 times more than accounted forβresulting in out-of-memory crashes, denial of service, and resource exhaustion.
The impact is limited to availability, meaning it can disrupt service by exhausting system resources but does not affect confidentiality or integrity of data. Exploitation requires that the memoryLimit option is enabled (which is not the default) and that the attacker can supply or modify template content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when the memoryLimit option is enabled in LiquidJS and the replace filter is used with template content that causes a large number of replacements, leading to a memory usage bypass. Detection involves monitoring for unusually high memory consumption or out-of-memory conditions during template rendering when memory limiting is enabled.
Since the vulnerability is related to the replace filter in LiquidJS versions prior to 10.25.3, you can detect vulnerable versions by checking the installed LiquidJS package version.
There are no specific network commands provided to detect this vulnerability, but you can use commands to check the installed package version and monitor memory usage during template rendering.
- Check LiquidJS version installed: `npm list liquidjs` or `yarn list liquidjs`
- Monitor memory usage of the application running LiquidJS templates, for example using `top`, `htop`, or `ps` commands on Linux.
- Review template content for excessive use of the replace filter with large replacement strings or many pattern occurrences.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade LiquidJS to version 10.25.3 or later, where the memory limit calculation in the replace filter has been fixed to accurately account for the actual output size.
If upgrading immediately is not possible, consider disabling the memoryLimit option to avoid incorrect memory usage calculations, though this removes memory limiting protections.
Additionally, restrict or sanitize template content to prevent attackers from injecting templates that exploit the replace filter with large or numerous replacements.
- Upgrade LiquidJS to version 10.25.3 or later.
- Disable the memoryLimit option temporarily if feasible.
- Validate and sanitize user-controlled template inputs to limit exploitability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability impacts availability by allowing an attacker to cause out-of-memory conditions and denial of service through memory limit bypass in LiquidJS templates. It does not affect confidentiality or integrity of data.
Since the vulnerability only affects availability and requires both enabling a non-default memory limit option and the ability to control template content, it does not directly lead to data breaches or unauthorized data access.
Therefore, the vulnerability's impact on compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity, is limited. However, denial of service could indirectly affect service availability requirements under some regulations.