CVE-2026-33285: LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash

March 25, 2026 (updated March 30, 2026)

LiquidJS’s memoryLimit security mechanism can be completely bypassed by using reverse range expressions (e.g., (100000000..1)), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., replace filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request.

References

github.com/advisories/GHSA-9r5m-9576-7f6x
github.com/harttle/liquidjs
github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578
github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x
nvd.nist.gov/vuln/detail/CVE-2026-33285

Code Behaviors & Features

Detect and mitigate CVE-2026-33285 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →