LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

Description

The replace_first filter in LiquidJS uses JavaScript’s String.prototype.replace() which interprets $& as a backreference to the matched substring. The filter only charges memoryLimit for the input string length, not the amplified output.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 10.24.0

References

• GHSA-6q5m-63h6-5x4v
• CVE-2026-33287
• CWE-20
• CWE-400
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
• @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
• Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement - CVE-2026-30938
• StudioCMS has Authorization Bypass Through User-Controlled Key - CVE-2026-24134

Tags:

npm

liquidjs