LiquidJS Memory Limit Bypass Vulnerability Leading to Node.js Process Crash

A denial-of-service vulnerability has been identified in LiquidJS versions prior to 10.25.1. The issue arises from a flaw in the template engine's memory management, where reverse range expressions can be used to bypass the `memoryLimit` security feature. This allows an attacker to allocate excessive memory, which, when combined with certain string operations, triggers a fatal error in the V8 JavaScript engine. The result is a crash of the Node.js process, causing a complete denial-of-service condition from a single HTTP request.

Impact

Exploitation of this vulnerability leads to a V8 fatal error that crashes the Node.js process, causing a complete denial-of-service condition. The process termination is not catchable by JavaScript error handlers, and the crash affects the entire service, not just the individual connection. This vulnerability can also create a false sense of security, as administrators may believe their services are protected by the `memoryLimit` feature when, in fact, they are not.

Reproduction

The vulnerability can be reproduced by sending a Liquid template that includes reverse range expressions to an application using LiquidJS version 10.24.x or earlier, with the `memoryLimit` option enabled. This can be done through an HTTP POST request to an endpoint that renders user-supplied Liquid templates, such as a CMS preview or newsletter editor. The request should include a template that first uses reverse ranges to drive the memory limit counter negative, and then applies a string operation that requires full memory allocation, causing the Node.js process to crash.

Remediation

Users can upgrade to LiquidJS version 10.25.1 or later, where this vulnerability has been patched.