LiquidJS Exponential Memory Amplification Vulnerability in replace_first Filter

A denial-of-service vulnerability has been identified in LiquidJS versions prior to 10.25.1. The issue arises in the replace_first filter, which uses JavaScript's String.prototype.replace() method. This method interprets the replacement pattern '$&' as a backreference to the matched substring. The filter only accounts for the input string length in its memory usage, not the significantly larger output that can result from such expansions. This oversight allows an attacker to create a string that amplifies memory usage exponentially, by a factor of up to 625,000:1, while remaining within the application's memory limit. The vulnerability leads to excessive memory consumption, causing a denial-of-service condition by disrupting normal application performance.

Impact

Exploitation of this vulnerability bypasses the application's memory limit, allowing for excessive memory usage that can lead to a denial-of-service condition. This causes the application to become unresponsive, particularly under concurrent load, as verified through empirical testing.

Reproduction

The vulnerability can be reproduced by using LiquidJS version 10.24.0 and rendering a template that utilizes the replace_first filter with a replacement string containing '$&' patterns. This can be done through an application that accepts user-provided Liquid templates, such as a CMS or newsletter editor. Once the vulnerability is confirmed, it can be exploited by chaining multiple replace_first calls to achieve the desired memory amplification.

Remediation

Users should upgrade to LiquidJS version 10.25.1 or later, where this vulnerability has been patched.