{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33285", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.426Z", "datePublished": "2026-03-26T00:34:25.169Z", "dateUpdated": "2026-03-28T02:08:05.711Z"}, "containers": {"cna": {"title": "LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x"}, {"name": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "tags": ["x_refsource_MISC"], "url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578"}], "affected": [{"vendor": "harttle", "product": "liquidjs", "versions": [{"version": "< 10.25.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:34:25.169Z"}, "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}], "source": {"advisory": "GHSA-9r5m-9576-7f6x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T02:06:55.564481Z", "id": "CVE-2026-33285", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:08:05.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33285", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-28T02:06:55.564481Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:08:01.337Z"}}], "cna": {"title": "LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash", "source": {"advisory": "GHSA-9r5m-9576-7f6x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "harttle", "product": "liquidjs", "versions": [{"status": "affected", "version": "< 10.25.1"}]}], "references": [{"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "name": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "name": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:34:25.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33285", "state": "PUBLISHED", "dateUpdated": "2026-03-28T02:08:05.711Z", "dateReserved": "2026-03-18T18:55:47.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T00:34:25.169Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7E49E8C9-5FB9-40CA-BE2C-AC2B6553F472", "versionEndExcluding": "10.25.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}, {"lang": "es", "value": "LiquidJS es un motor de plantillas compatible con Shopify / GitHub Pages en JavaScript puro. Antes de la versi\u00f3n 10.25.1, el mecanismo de seguridad 'memoryLimit' de LiquidJS puede ser completamente eludido mediante el uso de expresiones de rango inverso (por ejemplo, '(100000000..1)'), permitiendo a un atacante asignar memoria ilimitada. Combinado con una operaci\u00f3n de aplanamiento de cadenas (por ejemplo, el filtro 'replace'), esto causa un error fatal de V8 que provoca la ca\u00edda del proceso de Node.js, resultando en una denegaci\u00f3n de servicio completa desde una \u00fanica solicitud HTTP. La versi\u00f3n 10.25.1 corrige el problema."}], "id": "CVE-2026-33285", "lastModified": "2026-03-30T16:46:19.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T01:16:27.363", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.25.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "liquidjs", "source": "cna", "vendor": "harttle"}, "product": "liquidjs", "vendor": "harttle"}], "analysis": {"en": {"generated_at": "2026-03-30T18:29:42.139268+00:00", "value": {"mitigation_remediation": ["Upgrade LiquidJS to version 10.25.1 or later.", "If an upgrade is not immediately possible, consider removing or disabling LiquidJS usage from the application or restricting its inputs to prevent range expressions.", "Verify that the \"memoryLimit\" setting is correctly configured and that no other code can manipulate it.", "Apply any additional runtime isolation or error handling to prevent process termination from untrusted templates."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects versions of LiquidJS supplied by harttle:liquidjs that are older than 10.25.1. All releases before that version are susceptible when the memoryLimit feature is enabled.", "description_and_impact": "LiquidJS is a template engine that enforces a memory limit through a \"memoryLimit\" setting to prevent excessive resource usage. Prior to version 10.25.1 this limit can be fully bypassed by using reverse range expressions such as (100000000..1). When combined with a string\u2011flattening operation, the V8 engine throws a fatal error that crashes the Node.js process. The result is a complete denial of service caused by a single HTTP request.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. EPSS is below one percent, implying low current exploitation activity; it is not listed in the CISA KEV catalog. The likely attack vector is remote, via a crafted HTTP request to an application that uses the vulnerable LiquidJS engine. An attacker can trigger the crash from the outside without local privileges, leading to service interruption."}}}}, "created": "2026-03-26T11:30:53.032114+00:00", "updated": "2026-03-30T20:57:43.798697+00:00", "vendors": ["harttle", "harttle$PRODUCT$liquidjs"]}