Skip to main content

Liquidjs

3 CVEs product

Monthly

CVE-2026-55575 HIGH PATCH This Week

{{ huge_array | pop }}` trigger an O(N) full clone of an attacker-influenced array that bypasses the engine's configured memoryLimit budget, enabling denial of service through memory exhaustion. The `pop` array filter in src/filters/array.ts clones its input via `[...toArray(v)]` without routing the allocation through `this.context.memoryLimit.use(...)`, so the safety guard applications rely on is silently defeated. There is no public exploit identified at time of analysis, EPSS/KEV data was not supplied, and the impact is limited to availability (no confidentiality or integrity loss).

Denial Of Service Liquidjs
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-30952 npm HIGH PATCH This Week

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. versions up to 10.25.0 is affected by path traversal.

Path Traversal Liquidjs
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2022-25948 npm MEDIUM POC PATCH This Month

The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Liquidjs
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

{{ huge_array | pop }}` trigger an O(N) full clone of an attacker-influenced array that bypasses the engine's configured memoryLimit budget, enabling denial of service through memory exhaustion. The `pop` array filter in src/filters/array.ts clones its input via `[...toArray(v)]` without routing the allocation through `this.context.memoryLimit.use(...)`, so the safety guard applications rely on is silently defeated. There is no public exploit identified at time of analysis, EPSS/KEV data was not supplied, and the impact is limited to availability (no confidentiality or integrity loss).

Denial Of Service Liquidjs
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. versions up to 10.25.0 is affected by path traversal.

Path Traversal Liquidjs
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Liquidjs
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy