Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
LiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.
Details
For {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based.
Because of that, a file like partials/link.liquid passes the directory containment check as long as its pathname is under the allowed root. If link.liquid is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target.
So the restriction is applied to the path string that was requested, not to the file that is actually read.
This matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees.
PoC
const { Liquid } = require('liquidjs');
const fs = require('fs');
fs.rmSync('/tmp/liquid-root', { recursive: true, force: true });
fs.mkdirSync('/tmp/liquid-root', { recursive: true });
fs.writeFileSync('/tmp/secret-outside.liquid', 'SECRET_OUTSIDE');
fs.symlinkSync('/tmp/secret-outside.liquid', '/tmp/liquid-root/link.liquid');
const engine = new Liquid({ root: ['/tmp/liquid-root'] });
engine.parseAndRender('{% render "link.liquid" %}')
.then(console.log);
// SECRET_OUTSIDEImpact
If an attacker can place or influence symlinks under a trusted partials or layouts directory, they can make LiquidJS read and render files outside the intended template root. In practice this can expose arbitrary readable files reachable through symlink targets.
AnalysisAI
Path traversal via symlink in LiquidJS npm package allows authenticated template contributors to read arbitrary filesystem content outside configured template roots. The vulnerability affects applications where untrusted users can influence template directories (uploaded themes, extracted archives, repository-controlled templates). LiquidJS validates template paths using string-based directory containment checks but fails to resolve canonical filesystem paths before file access, enabling symlinks placed within allowed partials/layouts directories to reference external files. Publicly available exploit code exists. No EPSS score available, but impact is limited to information disclosure in specific deployment scenarios requiring attacker filesystem access.
Technical ContextAI
LiquidJS is a JavaScript template engine implementing Shopify's Liquid template language for Node.js environments. The vulnerability stems from CWE-61 (UNIX Symbolic Link Following) in the template inclusion mechanism. When processing {% include %}, {% render %}, and {% layout %} directives, LiquidJS performs pathname-based validation against configured root directories without calling realpath() or fs.realpathSync() to resolve symlinks before file operations. The security boundary relies on string prefix matching of the requested path rather than validating the canonical location of the actual file being read. This allows TOCTOU-style bypass where the path validation succeeds on the symlink location but filesystem operations follow the link to read external content. The vulnerability affects the core template resolution logic in the npm package pkg:npm/liquidjs, impacting all applications using partials or layouts features with untrusted template sources.
RemediationAI
Upgrade to LiquidJS version 10.25.3 or later, which resolves canonical filesystem paths before applying directory containment checks. The vendor-released patch is available via npm package update and documented in GitHub release tag v10.25.3 at github.com/harttle/liquidjs/releases/tag/v10.25.3. The fix implementation is detailed in pull request github.com/harttle/liquidjs/pull/867. For immediate mitigation before patching, implement defense-in-depth controls including restricting filesystem permissions on template directories to prevent symlink creation by untrusted users, enabling operating system symlink protections (nosymfollow mount options on Linux, symlink evaluation policies on Windows), and implementing application-layer validation to detect and reject symlink files during template upload or processing. Applications should audit existing template directories for unauthorized symlinks using find commands or filesystem scanning tools. Review access controls for template management interfaces to ensure only trusted administrators can modify template directory contents. Consider containerization with read-only template volumes for production deployments. Full technical details and security advisory available at github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20594
GHSA-56p5-8mhr-2fph