Description
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Update Package
AI Analysis

Impact

Liquidjs, a JavaScript template engine used by Shopify and GitHub Pages, contains a path traversal flaw when its layout, render, or include tags are used with absolute paths. The vulnerability allows an attacker that can influence the template content or supply the path as a variable to read any file accessible to the running process. This flaw is classified as a CWE‑22 Path Traversal and is reflected in the CVSS score of 8.7, indicating high impact on confidentiality.

Affected Systems

The flaw affects installations of harttle’s Liquidjs package before version 10.25.0 when executed in a Node.js environment. Any Node.js application that incorporates older versions of Liquidjs and renders templates supplied by untrusted users or external entities is at risk.

Risk and Exploitability

The risk is high due to the CVSS score, yet the EPSS score of less than 1% suggests that exploitation is currently low probability. Based on the description, it is inferred that the vulnerability does not require elevated privileges or network addressability beyond application exposure, and it is not listed in CISA’s KEV catalog. Attackers would typically supply malicious template code or set the include path variable to access sensitive files, making the threat most likely for web applications that permit user‑generated template content.

Generated by OpenCVE AI on April 17, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Liquidjs version 10.25.0 or later, which removes absolute path access via the affected tags.
  • Set the Liquidjs configuration option `dynamicPartials` to false to prevent variable-driven file inclusion.
  • Validate all template paths against a whitelist of allowed directories before rendering to ensure only trusted files are accessed.

Generated by OpenCVE AI on April 17, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmfp-5q7x-987x liquidjs has a path traversal fallback vulnerability
History

Wed, 18 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Liquidjs
Liquidjs liquidjs
CPEs cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*
Vendors & Products Liquidjs
Liquidjs liquidjs
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Tue, 10 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
Title liquidjs has a path traversal fallback vulnerability
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Harttle Liquidjs
Liquidjs Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:39:22.286Z

Reserved: 2026-03-07T17:34:39.980Z

Link: CVE-2026-30952

cve-icon Vulnrichment

Updated: 2026-03-11T14:39:13.623Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:48.187

Modified: 2026-03-18T19:16:25.620

Link: CVE-2026-30952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses