Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

LiquidJS, a plain‑JavaScript template engine used by Shopify and GitHub Pages, contains a flaw in its sort_natural filter that bypasses the ownPropertyOnly security option. By exploiting a sorting side‑channel, a malicious template can read prototype‑inherited properties such as API keys and tokens. This leakage is a privacy breach, classified as CWE‑200, and threatens the confidentiality of data in multi‑tenant systems that rely on ownPropertyOnly as a guardrail.

Affected Systems

All deployments that use liquidjs version 10.25.3 or earlier are impacted. The affected product is the liquidjs library (vendor Harttle). Applications that enforce ownPropertyOnly: true to isolate tenant templates, such as Shopify or custom GitHub Pages configurations, are at risk of inadvertently exposing prototype information.

Risk and Exploitability

The vulnerability scores a CVSS of 5.3, indicating moderate severity. The EPSS score of < 1% indicates a very low probability of exploitation. This vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the attack vector requires a malicious template rendering that invokes sort_natural to probe prototype properties. If an attacker can supply arbitrary templates, the vulnerability could be exploited in any environment that processes untrusted templates, potentially exposing sensitive configuration data.

Generated by OpenCVE AI on April 20, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade liquidjs to version 10.25.4 or later to apply the vendor patch.
  • Remove or avoid the use of the sort_natural filter in templates that handle untrusted data.
  • Configure the engine to enforce ownPropertyOnly: true for all templates so prototype properties are blocked.
  • Restrict template rendering to trusted users or contexts to reduce exposure.

Generated by OpenCVE AI on April 20, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rv5g-f82m-qrvv LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
History

Mon, 20 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Liquidjs
Liquidjs liquidjs
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*
Vendors & Products Liquidjs
Liquidjs liquidjs

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
Title LiquidJS has an ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Harttle Liquidjs
Liquidjs Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T13:53:27.859Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39412

cve-icon Vulnrichment

Updated: 2026-04-09T13:53:13.828Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T20:16:25.733

Modified: 2026-04-20T14:53:53.790

Link: CVE-2026-39412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses