CVE-2026-33285
Published: 26 March 2026
Summary
CVE-2026-33285 is a high-severity Improper Input Validation (CWE-20) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-33285 affects LiquidJS, a pure JavaScript template engine compatible with Shopify and GitHub Pages, in versions prior to 10.25.1. The vulnerability enables complete bypass of LiquidJS's `memoryLimit` security mechanism through the use of reverse range expressions, such as `(100000000..1)`. This allows attackers to allocate unlimited memory. When combined with a string flattening operation, like the `replace` filter, it triggers a V8 Fatal error that crashes the Node.js process.
The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation) and CWE-400 (Uncontrolled Resource Consumption). Remote attackers require no privileges or user interaction to exploit it over the network with low complexity. By crafting a single malicious HTTP request containing a specially formed LiquidJS template, an attacker can induce a denial of service, fully crashing the Node.js process hosting the engine.
The GitHub security advisory (GHSA-9r5m-9576-7f6x) and patching commit (95ddefc056a11a44d9e753fd47a39db2c241e578) confirm that upgrading to LiquidJS version 10.25.1 resolves the bypass, restoring the effectiveness of the `memoryLimit` protection against such range-based memory exhaustion attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16062
Vulnerability details
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined…
more
with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing apps (malicious Liquid template in HTTP request) to crash the process via resource exhaustion, directly mapping to T1190 and T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of inputs to the LiquidJS template engine, directly preventing the bypass of memoryLimit via malicious reverse range expressions.
SC-5 protects against denial-of-service attacks like the memory exhaustion and Node.js crash triggered by crafted LiquidJS templates in HTTP requests.
SI-2 mandates timely flaw remediation, such as patching LiquidJS to version 10.25.1, eliminating the vulnerability exploited for uncontrolled memory allocation.