Plattform
nodejs
Komponente
liquidjs
Behoben in
10.25.4
10.25.3
CVE-2026-34166 describes a memory limit bypass vulnerability within LiquidJS, a JavaScript templating engine. An attacker can manipulate template content to exceed the configured memoryLimit, potentially leading to a denial-of-service (DoS) condition. This vulnerability affects versions prior to 10.25.3 and is addressed in version 10.25.3.
The core of the vulnerability lies in the replace filter's inaccurate memory usage calculation. When the memoryLimit option is enabled, the filter incorrectly estimates the memory required for string replacement. An attacker who controls the template content can craft a pattern and replacement string that, when processed, results in a significantly larger output string than initially anticipated. This amplification can be as high as 2,500x, allowing an attacker to bypass the intended memory limit and trigger an out-of-memory error, effectively causing a denial of service. This is particularly concerning in environments where LiquidJS is used to render dynamic content, as malicious templates could be injected to disrupt service.
CVE-2026-34166 was publicly disclosed on 2026-04-08. The vulnerability's CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests that a PoC could be developed relatively easily. It is not currently listed on the CISA KEV catalog.
Applications and services utilizing LiquidJS versions prior to 10.25.3 are at risk. This includes Node.js applications that rely on LiquidJS for templating, particularly those handling user-supplied content or external data within templates. Shared hosting environments where multiple users can influence template content are also at increased risk.
• nodejs: Monitor LiquidJS process memory usage. Sudden spikes in memory consumption, especially during template rendering, could indicate exploitation.
ps aux | grep liquidjs | awk '{print $6}' | sort -n• nodejs: Check for unusual template content patterns. Look for extremely long patterns or replacement strings in template files or input data.
grep -r 'very_long_pattern_here' /path/to/templates• generic web: Examine web server access logs for requests containing unusually large template parameters. This may indicate an attempt to trigger the vulnerability.
disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34166 is to upgrade LiquidJS to version 10.25.3 or later, which includes the corrected memory usage calculation. If upgrading is not immediately feasible, consider implementing stricter input validation on template content to prevent excessively long patterns or replacement strings. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, limiting the overall size of template inputs can provide a degree of protection. After upgrading, confirm the fix by testing template rendering with large strings and verifying that the memory limit is enforced as expected.
Actualice a la versión 10.25.3 o superior para mitigar la vulnerabilidad. Esta actualización corrige un error en el filtro 'replace' que permitía eludir las restricciones de límite de memoria, lo que podía provocar condiciones de denegación de servicio (DoS) debido a un consumo excesivo de memoria.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34166 is a vulnerability in LiquidJS where the replace filter incorrectly calculates memory usage, allowing attackers to bypass memory limits and potentially cause a denial-of-service.
You are affected if you are using LiquidJS versions prior to 10.25.3. Upgrade to the latest version to mitigate the risk.
Upgrade LiquidJS to version 10.25.3 or later. Consider input validation on template content as an additional precaution.
There is no confirmed active exploitation of CVE-2026-34166 at this time, but a PoC could be developed.
Refer to the LiquidJS project's release notes and security advisories on their GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.