LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

Description

The replace_first filter in LiquidJS uses JavaScript’s String.prototype.replace() which interprets $& as a backreference to the matched substring. The filter only charges memoryLimit for the input string length, not the amplified output.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 10.24.0

References

• GHSA-6q5m-63h6-5x4v
• CVE-2026-33287
• CWE-20
• CWE-400
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166
• LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) - CVE-2026-45357
• Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) - CVE-2026-41321
• LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

liquidjs