CVE-2026-33285

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33285

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33285.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33285

Aliases

GHSA-9r5m-9576-7f6x

Downstream

MINI-25wf-pp5r-m3j2

Published

2026-03-26T00:34:25.169Z

Modified

2026-04-10T05:42:41.143431Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash

Details

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., replace filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33285.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-400"
    ]
}

References

Affected packages

Git / github.com/harttle/liquidjs

Affected ranges

Type

GIT

Repo

https://github.com/harttle/liquidjs

Events

Introduced

Fixed

97d829116c6774d8608f65b2bb41905ab4c8eddf

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.25.1"
        }
    ]
}

Affected versions

v1.*

v1.2.0

v1.3.3

v1.4.1

v1.4.2

v1.4.3

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.6.2

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.8.0

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v10.*

v10.0.0

v10.1.0

v10.10.0

v10.10.1

v10.10.2

v10.11.0

v10.11.1

v10.12.0

v10.13.0

v10.13.1

v10.14.0

v10.15.0

v10.16.0

v10.16.1

v10.16.2

v10.16.3

v10.16.4

v10.16.5

v10.16.6

v10.16.7

v10.17.0

v10.18.0

v10.19.0

v10.19.1

v10.2.0

v10.20.0

v10.20.1

v10.20.2

v10.20.3

v10.21.0

v10.21.1

v10.22.0

v10.23.0

v10.24.0

v10.25.0

v10.3.0

v10.3.1

v10.3.2

v10.3.3

v10.4.0

v10.5.0

v10.6.0

v10.6.1

v10.6.2

v10.7.0

v10.7.1

v10.8.0

v10.8.1

v10.8.2

v10.8.3

v10.8.4

v10.9.0

v10.9.1

v10.9.2

v10.9.3

v10.9.4

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.2.0

v2.2.1

v3.*

v3.0.0

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v4.*

v4.0.0

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.1.0

v5.1.1

v5.2.0

v5.3.0-0

v6.*

v6.0.0

v6.0.1

v6.1.1

v6.2.0

v6.2.1

v6.3.0

v6.3.1

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.1.0

v7.2.0

v7.2.1

v7.2.2

v7.3.0

v7.3.1

v7.4.0

v7.5.0

v7.5.1

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.1.0

v8.2.0

v8.2.1

v8.2.2

v8.2.3

v8.2.4

v8.3.0

v8.4.0

v8.4.1

v8.5.0

v8.5.1

v8.5.2

v8.5.3

v9.*

v9.0.0

v9.0.1

v9.1.0

v9.1.1

v9.10.0

v9.11.0

v9.11.1

v9.11.10

v9.11.11

v9.11.2

v9.11.3

v9.11.4

v9.11.5

v9.11.6

v9.11.7

v9.11.8

v9.11.9

v9.12.0

v9.13.0

v9.14.0

v9.14.1

v9.15.0

v9.15.1

v9.16.0

v9.16.1

v9.17.0

v9.18.0

v9.19.0

v9.2.0

v9.20.0

v9.20.1

v9.21.0

v9.22.0

v9.22.1

v9.23.0

v9.23.1

v9.23.2

v9.23.3

v9.23.4

v9.24.0

v9.24.1

v9.24.2

v9.25.0

v9.25.1

v9.26.0

v9.27.0

v9.27.1

v9.28.0

v9.28.1

v9.28.2

v9.28.3

v9.28.4

v9.28.5

v9.28.6

v9.29.0

v9.3.0

v9.3.1

v9.30.0

v9.31.0

v9.32.0

v9.32.1

v9.33.0

v9.33.1

v9.34.0

v9.34.1

v9.35.0

v9.35.1

v9.35.2

v9.36.0

v9.36.1

v9.36.2

v9.37.0

v9.38.0

v9.39.0

v9.39.1

v9.39.2

v9.4.0

v9.4.1

v9.4.2

v9.40.0

v9.41.0

v9.42.0

v9.42.1

v9.43.0

v9.5.0

v9.6.0

v9.6.1

v9.6.2

v9.7.0

v9.7.1

v9.7.2

v9.8.0

v9.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33285.json"