LiquidJS is a widely used JavaScript template engine compatible with Shopify and GitHub Pages. Prior to version 10.25.1, it contains a critical vulnerability (CVE-2026-33285) stemming from improper input validation (CWE-20) and resource exhaustion (CWE-400). The vulnerability arises because the memoryLimit mechanism, designed to restrict memory usage, can be bypassed by crafting reverse range expressions such as (100000000..1). This bypass allows attackers to allocate unlimited memory. When this is combined with string flattening operations like the replace filter, it causes the underlying V8 JavaScript engine to encounter a fatal error, crashing the Node.js process hosting the application. This crash results in a denial of service (DoS) condition triggered by a single HTTP request, requiring no privileges or user interaction. The flaw affects all versions of LiquidJS before 10.25.1, which was released to patch this issue. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability. Although no exploits have been observed in the wild yet, the vulnerability poses a significant risk to any Node.js applications using vulnerable LiquidJS versions, especially those exposed to untrusted user input in templating contexts.

The primary impact of this vulnerability is a denial of service condition caused by crashing the Node.js process running LiquidJS. This can disrupt web services, e-commerce platforms, and static site generators relying on LiquidJS, leading to downtime and potential loss of revenue or user trust. Since the attack requires only a single HTTP request and no authentication, it can be exploited remotely by unauthenticated attackers, increasing the risk of widespread disruption. Organizations using LiquidJS in public-facing applications are particularly vulnerable. The unlimited memory allocation could also lead to resource exhaustion on hosting infrastructure, potentially affecting other applications on shared servers. While confidentiality and integrity are not directly impacted, the availability impact is severe, especially for high-traffic or critical web services. The vulnerability could be leveraged as part of a larger attack chain to cause service outages or degrade user experience.

The definitive mitigation is to upgrade LiquidJS to version 10.25.1 or later, which patches the memoryLimit bypass vulnerability. Until upgrading is possible, organizations should implement strict input validation and sanitization on all user-supplied data passed to LiquidJS templates, specifically filtering or rejecting suspicious range expressions such as reverse ranges. Rate limiting and web application firewalls (WAFs) can help detect and block anomalous requests attempting to exploit this vulnerability. Monitoring Node.js application logs and system resource usage can provide early warning signs of attempted exploitation. Additionally, isolating Node.js processes and employing container resource limits can reduce the impact of memory exhaustion. Developers should audit template usage patterns to avoid complex or untrusted input in range expressions and string flattening filters. Finally, maintain an incident response plan to quickly recover from potential DoS events caused by this vulnerability.