CVE-2026-30952 in liquidjs
Summary
by MITRE • 03/10/2026
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
The liquidjs template engine serves as a critical component in web applications, particularly within platforms like Shopify and GitHub Pages, where it processes user-generated content through templating mechanisms. This vulnerability affects versions prior to 10.25.0 and stems from improper input validation within the layout, render, and include tags. The flaw allows attackers to exploit absolute file paths through both static string literals and dynamic Liquid variables, creating a pathway for unauthorized file access that can compromise system integrity and data confidentiality. The vulnerability is particularly concerning because it operates under default configurations, making it accessible to malicious actors without requiring special setup or conditions.
The technical implementation of this vulnerability lies in the engine's handling of file path resolution within template processing. When the layout, render, or include tags process absolute paths, they fail to properly sanitize or validate the input, allowing attackers to traverse the file system and access files outside of intended directories. This issue manifests differently based on whether the path is specified as a static string or through dynamic variables. The dynamic variable scenario requires the dynamicPartials: true configuration, which is enabled by default, making the vulnerability more widespread and impactful. The underlying flaw can be categorized as a path traversal vulnerability, which aligns with CWE-22 and CWE-23 classifications in the Common Weakness Enumeration framework, representing improper limitation of a pathname to a restricted directory.
The operational impact of this vulnerability extends beyond simple unauthorized file access, potentially enabling attackers to extract sensitive configuration files, database credentials, application source code, or other critical system information. In environments where users can control template content, malicious actors could leverage this vulnerability to escalate privileges, perform data exfiltration, or establish persistent access points within the application infrastructure. The vulnerability creates a direct pathway for attackers to bypass normal access controls and potentially compromise the entire application stack. This type of attack vector is particularly relevant in multi-tenant environments or platforms where user-generated content processing occurs, as it can be exploited to access other users' data or system resources. The attack pattern aligns with techniques documented in the MITRE ATT&CK framework under T1059 for command and scripting interpreter and T1566 for credential access through exploitation of vulnerabilities.
Mitigation strategies for this vulnerability center on upgrading to liquidjs version 10.25.0 or later, which implements proper path validation and sanitization. Organizations should also consider implementing additional security controls such as restricting template editing permissions, validating all user-supplied template content, and monitoring for suspicious file access patterns. The fix addresses both static and dynamic path handling, ensuring that absolute paths are properly validated against allowed directories and that the engine does not permit traversal beyond intended boundaries. System administrators should also consider implementing network-level protections, such as firewall rules that restrict access to sensitive system directories, and application-level security measures that validate all file access requests through the template engine. Regular security assessments and penetration testing should be conducted to ensure that similar vulnerabilities are not present in other components of the application stack, as the presence of one vulnerability often indicates potential for similar issues in related systems.