LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash

Severity:: High

Description

LiquidJS’s memoryLimit security mechanism can be completely bypassed by using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., replace filter), this causes a **V8 Fatal error that crashes the Node.

Recommendation

No fix is available yet. Followings are affected versions:

<= 10.24.0

References

GHSA-9r5m-9576-7f6x
CVE-2026-33285
CWE-20
CWE-400
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

StudioCMS has Authorization Bypass Through User-Controlled Key - CVE-2026-24134
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern - CVE-2026-33287
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement - CVE-2026-30938
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters - CVE-2026-30863

Tags:: npm; liquidjs

Anything's wrong? Let us know Last updated on March 25, 2026