Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.
Published: 2026-04-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Update Engine
AI Analysis

Impact

A configuration flaw in LiquidJS allows callers of renderFile() or parseFile() to bypass the documented root restriction when the root is set to an empty directory. The flaw permits reading the content of any file on the filesystem accessible to the running process. This leads to a confidentiality breach, exposing sensitive files such as configuration, source code, or secrets, and can compromise system integrity if the read files are subsequently processed or executed. The weakness is a classic local file read exploitation, identified as CWE-22.

Affected Systems

The vulnerability affects the Harttle LiquidJS library, specifically versions prior to 10.25.3. Applications that use LiquidJS 10.25.0‑10.25.2 and configure the root directory as an empty string are susceptible.

Risk and Exploitability

The CVSS v3 score of 6.3 classifies the issue as Medium severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting a lower public exploitation risk. However, the flaw is exploitable locally by an attacker who can influence the root configuration or supply parameters to renderFile()/parseFile(). Once the flaw is reached, any file readable by the application process can be extracted. There is no evidence of network‑based exploitation vectors; the attack vector is inferred to require local or application‑level access.

Generated by OpenCVE AI on April 8, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to liquidjs version 10.25.3 or later.
  • Ensure the root directory is set to a valid value and not an empty string in all configurations.
  • Avoid using renderFile() or parseFile() with untrusted input until the engine is updated.
  • If an upgrade is not immediately possible, restrict file system permissions for the process and monitor logs for unexpected file read activity.

Generated by OpenCVE AI on April 8, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v273-448j-v4qj LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Harttle
Harttle liquidjs
Vendors & Products Harttle
Harttle liquidjs

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.
Title LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Harttle Liquidjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:45:21.747Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39859

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:26.273

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:34Z

Weaknesses