LiquidJS is a JavaScript-based template engine compatible with Shopify and GitHub Pages. The vulnerability CVE-2026-33287 stems from the `replace_first` filter's use of JavaScript's native String.prototype.replace() function, which interprets special replacement patterns like `$&` as references to the matched substring. The filter enforces a memory limit based on the input string length but does not account for the potential output size amplification caused by these replacement patterns. An attacker can exploit this by submitting crafted input that triggers exponential memory amplification—up to 625,000 times the original input size—leading to excessive memory consumption and denial of service. This is a classic case of improper input validation (CWE-20) combined with resource exhaustion (CWE-400). The vulnerability affects all LiquidJS versions prior to 10.25.1, which includes many deployments in e-commerce and static site generation contexts. The patch in version 10.25.1 addresses this by properly limiting output amplification and validating inputs to prevent excessive memory usage. No known exploits are currently in the wild, but the ease of exploitation and impact make this a critical issue to address.

The primary impact of this vulnerability is denial of service due to memory exhaustion. Attackers can remotely trigger the vulnerability without authentication or user interaction, making it highly accessible. Exploitation can cause web servers or applications using vulnerable LiquidJS versions to crash or become unresponsive, disrupting services and potentially causing financial and reputational damage. Since LiquidJS is used in Shopify-compatible environments and GitHub Pages, popular platforms with global reach, the scope of affected systems is broad. Organizations relying on these platforms for e-commerce or content delivery may face downtime, loss of customer trust, and operational disruptions. Additionally, the resource exhaustion could be leveraged as part of a larger attack campaign to degrade infrastructure availability.

1. Upgrade all instances of LiquidJS to version 10.25.1 or later, where the vulnerability is patched. 2. Implement input validation and sanitization at the application layer to detect and reject suspicious replacement patterns, especially those involving `$&` or other special replacement tokens. 3. Employ runtime memory monitoring and limits at the container or process level to detect abnormal memory usage spikes and terminate affected processes proactively. 4. Use Web Application Firewalls (WAFs) with custom rules to block requests containing suspicious payloads targeting the `replace_first` filter. 5. Conduct code reviews and security testing focusing on template engines and string manipulation functions to identify similar amplification risks. 6. Educate developers on the risks of using native string replacement functions without proper output size checks in templating contexts.