137 matches found
EUVD-2026-20554
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in replace Filter...
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
Summary The replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.splitpattern.joinreplacement can be quadratically larger whe...
PT-2026-31354
liquidjs 10.25.0 documents root as constraining filenames passed to renderFile and parseFile, but top-level file loads do not enforce that boundary. The published npm package [email protected] on Linux 6.17.0 with Node v22.22.1. A Liquid instance configured with an empty temporary directory as roo...
PT-2026-31349
Summary LiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory a...
liquidjs 安全漏洞
LiquidJS is a simple, expressive, secure, and compatible JavaScript template engine developed by Jun Yang. Versions of LiquidJS prior to 10.25.3 contained security vulnerabilities; these vulnerabilities stemmed from path-based checks instead of checking actual paths, which could lead to external...
liquidjs 资源管理错误漏洞
LiquidJS is a simple, expressive, secure, and compatible JavaScript template engine developed by Jun Yang. Versions of LiquidJS prior to 10.25.3 had a resource management vulnerability, which stemmed from errors in memory usage calculations by the replace filter. This vulnerability could...
liquidjs 路径遍历漏洞
LiquidJS is a simple, expressive, secure, and compatible JavaScript template engine developed by Jun Yang. Versions of LiquidJS prior to 10.25.3 had a path traversal vulnerability, which stemmed from the lack of enforcement of root directory restrictions, potentially allowing access to arbitrary...
CVE-2026-33285
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...
CVE-2026-33287
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the replacefirst filter in LiquidJS uses JavaScript's String.prototype.replace which interprets $& as a back reference to the matched substring. The filter only charges memoryLimit for th...
CVE-2026-30952
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...
CVE-2026-33285
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...
CVE-2026-33287
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the replacefirst filter in LiquidJS uses JavaScript's String.prototype.replace which interprets $& as a back reference to the matched substring. The filter only charges memoryLimit for th...
CVE-2026-33285 LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...
CVE-2026-33285 LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...
CVE-2026-33285
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...
CVE-2026-33285 LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...
CVE-2026-33285
CVE-2026-33285 concerns LiquidJS (template engine for Shopify/GitHub Pages). Vulnerability: memoryLimit protection can be bypassed by reverse range expressions (e.g., (100000000..1)), allowing unbounded memory allocation. When combined with string flattening operations (e.g., replace filter), thi...
CVE-2026-33287
LiquidJS has a vulnerability where the replace_first filter uses String.prototype.replace(), causing $& expansions to inflate output without counting against memoryLimit. This can yield exponential memory amplification (up to ~625,000:1) and denial of service. Publicly documented details show the...
CVE-2026-33287
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the replacefirst filter in LiquidJS uses JavaScript's String.prototype.replace which interprets $& as a back reference to the matched substring. The filter only charges memoryLimit for th...
CVE-2026-33287 LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the replacefirst filter in LiquidJS uses JavaScript's String.prototype.replace which interprets $& as a back reference to the matched substring. The filter only charges memoryLimit for th...