Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-30952

liquidjs has a path traversal fallback vulnerability
Back to all
CVE

CVE-2026-30952

liquidjs has a path traversal fallback vulnerability

Impact

The layoutrender, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable.

Patches

The root cause is LiquidJS allows require.resolve() as fallback but doesn't limit the directories it can resolve to. The issue is fixed via #855 and published version 10.25.0 on npm.

Workarounds

Change the files in build time

In build time, through Shell script or Webpack string-replace-loader, change the file content of correxponding file (depending on your package type, for CommonJS it's dist/liquid.node.js) under dist/

  if (fs.fallback !== undefined) {
    const filepath = fs.fallback(file)
-   if (filepath !== undefined) yield filepath
+   if (filepath !== undefined) {
+     for (const dir of dirs) {
+       if (!enforceRoot || this.contains(dir, filepath)) {
+         yield filepath
+         break
+       }
+     }
    }
  }

Overriding by fs LiquidJS option

Adding a fs option to override the default fs implementation:

const { statSync, readFileSync, promises: { stat, readFile } } = require('fs')
const { resolve, extname, dirname, sep } = require('path')
const fs = {
    exists: async (fp) => { try { await stat(fp); return true; } catch { return false } },
    existsSync: (fp) => { try { statSync(fp); return true } catch { return false } },
    resolve: (root, file, ext) => resolve(root, file + (extname(file) ? '' : ext)),
    contains: (root, file) => {
        const r = resolve(root)
        return file.startsWith(r.endsWith(sep) ? r : r + sep)
    },
    readFile: (fp) => readFile(fp, 'utf8'),
    readFileSync: (fp) => readFileSync(fp, 'utf8'),
    fallback: () => undefined,
    dirname,
    sep
};
const engine = new Liquid({ fs })

References

Discussions: https://github.com/harttle/liquidjs/pull/851

Code fix: https://github.com/harttle/liquidjs/pull/855

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related Resources

No items found.

References

https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x, https://nvd.nist.gov/vuln/detail/CVE-2026-30952, https://github.com/harttle/liquidjs/pull/851, https://github.com/harttle/liquidjs/pull/855, https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac, https://github.com/harttle/liquidjs

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.0002%
EPSS Percentile
0.05812%
Introduced Version
0,10.16.5,10.6.2,9.40.0,9.28.3,9.27.0
Fix Available
10.25.0,9.3.1-r1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading