CVE Catalog

CVE-2026-34166

Low
Published: Translated: NVD NIST

Summary

In the LiquidJS template engine, a vulnerability was found where the replace filter incorrectly accounts for memory usage when the memoryLimit option is enabled. The issue affects versions prior to 10.25.3.

Risk Assessment

An attacker could exploit this flaw to exceed the memory limit, potentially leading to resource exhaustion and denial of service (DoS).

Recommendation

Immediately update the LiquidJS library to version 10.25.3 or later, which includes a fix for this issue.

Original NVD description (English source)

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter,

Vulnerability data from NVD (NIST) · CISA KEV · EPSS