CVE-2026-33287
Published: 26 March 2026
Summary
CVE-2026-33287 is a high-severity Improper Input Validation (CWE-20) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, directly addressing the memory amplification vulnerability in LiquidJS by patching to version 10.25.1.
Enforces validation of inputs such as template strings to detect and reject malicious patterns exploiting backreferences in the replace_first filter.
Provides denial-of-service protections against resource exhaustion attacks like the exponential memory amplification enabled by improper memory accounting.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables direct exploitation of a template engine input validation flaw to trigger application-level memory exhaustion and crash (T1499.004 Application or System Exploitation).
NVD Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges…
more
`memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.
Deeper analysisAI
CVE-2026-33287 is a denial-of-service vulnerability in LiquidJS, a pure JavaScript template engine compatible with Shopify and GitHub Pages. In versions prior to 10.25.1, the `replace_first` filter improperly uses JavaScript's `String.prototype.replace()` method, which interprets `$&` as a backreference to the matched substring. This allows exponential memory amplification—up to a 625,000:1 ratio—because the filter's `memoryLimit` enforcement only accounts for the input string length, not the expanded output size, as mapped to CWE-20 (Improper Input Validation) and CWE-400 (Uncontrolled Resource Consumption).
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity by unauthenticated attackers requiring no user interaction. An attacker can craft a malicious template input for the `replace_first` filter that triggers repeated backreference expansions, rapidly exhausting server memory while remaining within configured limits, resulting in application crashes or service denial.
The GitHub security advisory (GHSA-6q5m-63h6-5x4v) and commit 35d523026345d80458df24c72e653db78b5d061d detail the patch in LiquidJS version 10.25.1, which addresses the memory accounting flaw in the filter. Security practitioners should upgrade to 10.25.1 or later and review deployments using LiquidJS for templating, especially in web-facing applications.
Details
- CWE(s)