CVE-2026-34166: LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter

April 8, 2026 (updated April 9, 2026)

The replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions.

References

github.com/advisories/GHSA-mmg9-6m6j-jqqx
github.com/harttle/liquidjs
github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25
github.com/harttle/liquidjs/releases/tag/v10.25.3
github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx
nvd.nist.gov/vuln/detail/CVE-2026-34166

Code Behaviors & Features

Detect and mitigate CVE-2026-34166 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →