{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T22:10:51.871","vulnerabilities":[{"cve":{"id":"CVE-2026-33285","sourceIdentifier":"security-advisories@github.com","published":"2026-03-26T01:16:27.363","lastModified":"2026-03-30T16:46:19.273","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue."},{"lang":"es","value":"LiquidJS es un motor de plantillas compatible con Shopify / GitHub Pages en JavaScript puro. Antes de la versión 10.25.1, el mecanismo de seguridad 'memoryLimit' de LiquidJS puede ser completamente eludido mediante el uso de expresiones de rango inverso (por ejemplo, '(100000000..1)'), permitiendo a un atacante asignar memoria ilimitada. Combinado con una operación de aplanamiento de cadenas (por ejemplo, el filtro 'replace'), esto causa un error fatal de V8 que provoca la caída del proceso de Node.js, resultando en una denegación de servicio completa desde una única solicitud HTTP. La versión 10.25.1 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-400"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*","versionEndExcluding":"10.25.1","matchCriteriaId":"7E49E8C9-5FB9-40CA-BE2C-AC2B6553F472"}]}]}],"references":[{"url":"https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}