CVE-2026-33285
Published: 26 March 2026
Summary
CVE-2026-33285 is a high-severity Improper Input Validation (CWE-20) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs to the LiquidJS template engine, directly preventing the bypass of memoryLimit via malicious reverse range expressions.
SC-5 protects against denial-of-service attacks like the memory exhaustion and Node.js crash triggered by crafted LiquidJS templates in HTTP requests.
SI-2 mandates timely flaw remediation, such as patching LiquidJS to version 10.25.1, eliminating the vulnerability exploited for uncontrolled memory allocation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing apps (malicious Liquid template in HTTP request) to crash the process via resource exhaustion, directly mapping to T1190 and T1499.004.
NVD Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined…
more
with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
Deeper analysisAI
CVE-2026-33285 affects LiquidJS, a pure JavaScript template engine compatible with Shopify and GitHub Pages, in versions prior to 10.25.1. The vulnerability enables complete bypass of LiquidJS's `memoryLimit` security mechanism through the use of reverse range expressions, such as `(100000000..1)`. This allows attackers to allocate unlimited memory. When combined with a string flattening operation, like the `replace` filter, it triggers a V8 Fatal error that crashes the Node.js process.
The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation) and CWE-400 (Uncontrolled Resource Consumption). Remote attackers require no privileges or user interaction to exploit it over the network with low complexity. By crafting a single malicious HTTP request containing a specially formed LiquidJS template, an attacker can induce a denial of service, fully crashing the Node.js process hosting the engine.
The GitHub security advisory (GHSA-9r5m-9576-7f6x) and patching commit (95ddefc056a11a44d9e753fd47a39db2c241e578) confirm that upgrading to LiquidJS version 10.25.1 resolves the bypass, restoring the effectiveness of the `memoryLimit` protection against such range-based memory exhaustion attacks.
Details
- CWE(s)