{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33285", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.426Z", "datePublished": "2026-03-26T00:34:25.169Z", "dateUpdated": "2026-03-28T02:08:05.711Z"}, "containers": {"cna": {"title": "LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x"}, {"name": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "tags": ["x_refsource_MISC"], "url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578"}], "affected": [{"vendor": "harttle", "product": "liquidjs", "versions": [{"version": "< 10.25.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:34:25.169Z"}, "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}], "source": {"advisory": "GHSA-9r5m-9576-7f6x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T02:06:55.564481Z", "id": "CVE-2026-33285", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:08:05.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33285", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-28T02:06:55.564481Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:08:01.337Z"}}], "cna": {"title": "LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash", "source": {"advisory": "GHSA-9r5m-9576-7f6x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "harttle", "product": "liquidjs", "versions": [{"status": "affected", "version": "< 10.25.1"}]}], "references": [{"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "name": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "name": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:34:25.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33285", "state": "PUBLISHED", "dateUpdated": "2026-03-28T02:08:05.711Z", "dateReserved": "2026-03-18T18:55:47.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T00:34:25.169Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."}], "id": "CVE-2026-33285", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T01:16:27.363", "references": [{"source": "[email protected]", "url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578"}, {"source": "[email protected]", "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.25.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "liquidjs", "source": "cna", "vendor": "harttle"}, "product": "liquidjs", "vendor": "harttle"}], "analysis": {"en": {"generated_at": "2026-03-26T03:11:43.042658+00:00", "value": {"mitigation_remediation": ["Upgrade LiquidJS to version 10.25.1 or newer"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of the LiquidJS package, maintained by the harttle project, are any release prior to 10.25.1. The affected product is the pure\u2011JavaScript LiquidJS template engine, commonly embedded in Node.js web applications that render user\u2011supplied templates. Versions 10.25.1 and later contain the fix and are not affected.", "description_and_impact": "LiquidJS, a template engine used by Shopify and GitHub Pages, contains a flaw in its memoryLimit enforcement. By supplying a reverse range expression such as (100000000..1) the engine allocates unlimited memory. When this is combined with a string flattening operation like the replace filter, the V8 engine throws a fatal error that crashes the Node.js process. The result is a complete denial of service that can be triggered by a single HTTP request. The weakness is rooted in improper input validation (CWE\u201120) and uncontrolled resource consumption (CWE\u2011400).", "risk_and_exploitability": "The flaw carries a CVSS score of 7.5, indicating a high severity. While EPSS data is not available, the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. Attackers can trigger the exploit through standard HTTP requests that include malicious template code, allowing them to crash the server process without additional privileges. The impact is limited to the targeted instance, but repeated crashes can cause sustained service disruption."}}}}, "created": "2026-03-26T11:30:53.032114+00:00", "updated": "2026-03-26T12:08:54.743367+00:00", "vendors": ["harttle", "harttle$PRODUCT$liquidjs"]}