Platform
nodejs
Component
liquidjs
Fixed in
10.25.4
10.25.3
CVE-2026-34166 describes a memory limit bypass vulnerability within LiquidJS, a JavaScript templating engine. An attacker can manipulate template content to exceed the configured memoryLimit, potentially leading to a denial-of-service (DoS) condition. This vulnerability affects versions prior to 10.25.3 and is addressed in version 10.25.3.
The core of the vulnerability lies in the replace filter's inaccurate memory usage calculation. When the memoryLimit option is enabled, the filter incorrectly estimates the memory required for string replacement. An attacker who controls the template content can craft a pattern and replacement string that, when processed, results in a significantly larger output string than initially anticipated. This amplification can be as high as 2,500x, allowing an attacker to bypass the intended memory limit and trigger an out-of-memory error, effectively causing a denial of service. This is particularly concerning in environments where LiquidJS is used to render dynamic content, as malicious templates could be injected to disrupt service.
CVE-2026-34166 was publicly disclosed on 2026-04-08. The vulnerability's CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests that a PoC could be developed relatively easily. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34166 is to upgrade LiquidJS to version 10.25.3 or later, which includes the corrected memory usage calculation. If upgrading is not immediately feasible, consider implementing stricter input validation on template content to prevent excessively long patterns or replacement strings. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, limiting the overall size of template inputs can provide a degree of protection. After upgrading, confirm the fix by testing template rendering with large strings and verifying that the memory limit is enforced as expected.
Actualice a la versión 10.25.3 o superior para mitigar la vulnerabilidad. Esta actualización corrige un error en el filtro 'replace' que permitía eludir las restricciones de límite de memoria, lo que podía provocar condiciones de denegación de servicio (DoS) debido a un consumo excesivo de memoria.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34166 is a vulnerability in LiquidJS where the replace filter incorrectly calculates memory usage, allowing attackers to bypass memory limits and potentially cause a denial-of-service.
You are affected if you are using LiquidJS versions prior to 10.25.3. Upgrade to the latest version to mitigate the risk.
Upgrade LiquidJS to version 10.25.3 or later. Consider input validation on template content as an additional precaution.
There is no confirmed active exploitation of CVE-2026-34166 at this time, but a PoC could be developed.
Refer to the LiquidJS project's release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.