Liquidjs
CVE-2026-30952
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 36 npm packages depend on liquidjs (8 direct, 29 indirect)
Ecosystem-wide dependent count for version 10.25.0.
DescriptionGitHub Advisory
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
AnalysisAI
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. versions up to 10.25.0 is affected by path traversal.
Technical ContextAI
This vulnerability (CWE-22: Path Traversal) affects liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript.. liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
RemediationAI
Fixed in version 10.25.0.. Validate and sanitize file path inputs. Use allowlists.
The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False
{{ huge_array | pop }}` trigger an O(N) full clone of an attacker-influenced array that bypasses the engine's configured
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wmfp-5q7x-987x