CVE-2026-34166 LiquidJS has a Memory Limit Bypass via Quadratic Amplification in `replace` Filter

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limite...

CVE-2026-34166 LiquidJS has a Memory Limit Bypass via Quadratic Amplification in `replace` Filter

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limite...

CVE-2026-34166

LiquidJS (template engine) has a memoryLimit bypass in the replace filter: when memoryLimit is enabled, replacing a pattern can produce output size that grows quadratically with occurrences, bypassing the configured memory cap and risking out-of-memory DoS. Affected: prior to 10.25.3. Fix: upgrad...

EUVD-2026-20554

LiquidJS Has Memory Limit Bypass via Quadratic Amplification in replace Filter...

LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter

Summary The replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.splitpattern.joinreplacement can be quadratically larger whe...