Memory Management Bypass in LiquidJS Template Engine
CVE-2026-33285

7.5HIGH

Key Information:

Vendor: Harttle
Status: Liquidjs
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33285?

LiquidJS, a popular template engine compatible with Shopify and GitHub Pages, has a vulnerability prior to version 10.25.1 where the memoryLimit security mechanism can be bypassed using reverse range expressions like (100000000..1). This flaw allows attackers to allocate unlimited memory, which when combined with certain operations such as the replace filter, can trigger a V8 Fatal error, thereby crashing the Node.js process. This issue can lead to a complete denial of service from a single malicious HTTP request. The vulnerability has been resolved in version 10.25.1.

Affected Version(s)

liquidjs < 10.25.1

References

https://github.com/harttle/liquidjs/security/advisories/G...

x_refsource_CONFIRM

https://github.com/harttle/liquidjs/commit/95ddefc056a11a...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33285 Data

JSON

Harttle

What is CVE-2026-33285?

Affected Version(s)

References

CVSS V3.1

Timeline