LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
- Severity:
- Low
Description
The replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): <= 10.25.2
- Patched version(s): 10.25.3
References
Related Issues
- LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) - CVE-2026-45357
- LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern - CVE-2026-33287
- LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS - CVE-2026-44644
- LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on April 09, 2026