LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
- Severity:
- Low
Description
The replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): <= 10.25.2
- Patched version(s): 10.25.3
References
Related Issues
- LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) - CVE-2026-45357
- LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern - CVE-2026-33287
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex - CVE-2026-45617
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on April 09, 2026