LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash

Severity:: High

Description

LiquidJS’s memoryLimit security mechanism can be completely bypassed by using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., replace filter), this causes a **V8 Fatal error that crashes the Node.

Recommendation

No fix is available yet. Followings are affected versions:

<= 10.24.0

References

GHSA-9r5m-9576-7f6x
CVE-2026-33285
CWE-20
CWE-400
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass - CVE-2026-4602
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates - CVE-2026-35525
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412
OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS - CVE-2026-42073

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; liquidjs

Anything's wrong? Let us know Last updated on March 30, 2026