LiquidJS Memory Limit Bypass Vulnerability in Replace Filter Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in LiquidJS versions prior to 10.25.3. The issue arises in the replace filter, where the engine incorrectly calculates memory usage when the memoryLimit option is enabled. This miscalculation allows an attacker to bypass the memoryLimit protection, leading to out-of-memory conditions. The vulnerability is particularly concerning when the pattern occurs frequently in the input string, as it can cause a significant amplification of memory usage, approximately 2,500 times more than intended.

Impact

Exploitation of this vulnerability can cause Node.js process crashes due to out-of-memory errors, disrupt service for other users on the same process, and exhaust resources on the hosting infrastructure.

Reproduction

To reproduce this vulnerability, enable the memoryLimit option in LiquidJS to a value such as 10MB. Then, create a template that uses the replace filter to substitute a character pattern with a longer string. The template can be processed by the LiquidJS engine, which will bypass the memory limit and cause excessive memory usage.

Remediation

Users can upgrade to LiquidJS version 10.25.3 or later, where this vulnerability has been fixed.