CVE-2026-34166
Received Received - Intake
Memory Limit Bypass DoS in LiquidJS replace Filter

Publication date: 2026-04-08

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34166
EUVD
EUVD-2026-20554
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
liquidjs liquidjs to 10.25.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34166 is a vulnerability in LiquidJS, a JavaScript template engine. The issue occurs in the replace filter when the memoryLimit option is enabled. The filter incorrectly calculates memory usage by summing the lengths of the input string, the pattern to be replaced, and the replacement string. However, the actual output after replacement can be much largerβ€”quadratically largerβ€”if the pattern occurs many times in the input string.

This miscalculation allows an attacker who controls the template content to bypass the memory limit protection by approximately 2,500 times, potentially causing out-of-memory conditions and denial of service. The vulnerability is fixed in version 10.25.3 by accurately calculating the expected output size based on the number of replacements and the difference in length between the replacement and the pattern.

Impact Analysis

This vulnerability can impact you by allowing an attacker who can control template content to bypass memory limits set during template rendering. This can lead to excessive memory consumptionβ€”up to 2,500 times more than accounted forβ€”resulting in out-of-memory crashes, denial of service, and resource exhaustion.

The impact is limited to availability, meaning it can disrupt service by exhausting system resources but does not affect confidentiality or integrity of data. Exploitation requires that the memoryLimit option is enabled (which is not the default) and that the attacker can supply or modify template content.

Detection Guidance

This vulnerability arises when the memoryLimit option is enabled in LiquidJS and the replace filter is used with template content that causes a large number of replacements, leading to a memory usage bypass. Detection involves monitoring for unusually high memory consumption or out-of-memory conditions during template rendering when memory limiting is enabled.

Since the vulnerability is related to the replace filter in LiquidJS versions prior to 10.25.3, you can detect vulnerable versions by checking the installed LiquidJS package version.

There are no specific network commands provided to detect this vulnerability, but you can use commands to check the installed package version and monitor memory usage during template rendering.

  • Check LiquidJS version installed: `npm list liquidjs` or `yarn list liquidjs`
  • Monitor memory usage of the application running LiquidJS templates, for example using `top`, `htop`, or `ps` commands on Linux.
  • Review template content for excessive use of the replace filter with large replacement strings or many pattern occurrences.
Mitigation Strategies

The primary mitigation is to upgrade LiquidJS to version 10.25.3 or later, where the memory limit calculation in the replace filter has been fixed to accurately account for the actual output size.

If upgrading immediately is not possible, consider disabling the memoryLimit option to avoid incorrect memory usage calculations, though this removes memory limiting protections.

Additionally, restrict or sanitize template content to prevent attackers from injecting templates that exploit the replace filter with large or numerous replacements.

  • Upgrade LiquidJS to version 10.25.3 or later.
  • Disable the memoryLimit option temporarily if feasible.
  • Validate and sanitize user-controlled template inputs to limit exploitability.
Compliance Impact

This vulnerability impacts availability by allowing an attacker to cause out-of-memory conditions and denial of service through memory limit bypass in LiquidJS templates. It does not affect confidentiality or integrity of data.

Since the vulnerability only affects availability and requires both enabling a non-default memory limit option and the ability to control template content, it does not directly lead to data breaches or unauthorized data access.

Therefore, the vulnerability's impact on compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity, is limited. However, denial of service could indirectly affect service availability requirements under some regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart