python-liquid: Absolute paths escape filesystem loader search path
Description
Impact
The built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process.
Patches
The issue is fixed in version 2.2.0 with the inclusion of a template_path.is_absolute() condition in liquid/builtin/loaders/file_system_loader.py.
if os.path.pardir in template_path.parts or template_path.is_absolute():
raise TemplateNotFoundError(template_name)
Workarounds
Create a custom template loader by inheriting from FileSystemLoader and overriding resolve_path(). Use an instance of the custom loader as the loader argument when instantiating your Liquid environment.
import os
from pathlib import Path
from liquid import Environment
from liquid import FileSystemLoader
from liquid.exceptions import TemplateNotFoundError
class MyFileSystemLoader(FileSystemLoader):
def resolve_path(self, template_name: str) -> Path:
template_path = Path(template_name)
if self.ext and not template_path.suffix:
template_path = template_path.with_suffix(self.ext)
if os.path.pardir in template_path.parts or template_path.is_absolute():
raise TemplateNotFoundError(template_name)
for path in self.search_path:
source_path = path.joinpath(template_path)
if not source_path.exists():
continue
return source_path
raise TemplateNotFoundError(template_name)
env = Environment(loader=MyFileSystemLoader("path/to/templates/"))
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Python Liquid's FileSystemLoader and CachingFileSystemLoader fail to block absolute paths, enabling malicious template authors to read arbitrary files via {% include %} and {% render %} tags.
The built-in FileSystemLoader and CachingFileSystemLoader in Python Liquid do not validate whether a requested template path is absolute. When a template author uses {% include %} or {% render %} with an absolute path, the loaders resolve it directly without checking if it lies within the configured search paths. This oversight allows an attacker who can supply or modify templates to read arbitrary files on the filesystem, provided those files contain valid Liquid markup and are readable by the application process [2].
To exploit this vulnerability, an attacker must have the ability to author or control template content that is processed by the affected loader. No additional authentication or network position is required beyond that. By crafting a template that includes an absolute path (e.g., /etc/passwd), the attacker can force the loader to read and render the target file. The file must contain Liquid syntax to be rendered, but even partial content may be exposed through error messages or output [2].
The impact is limited to reading files that contain Liquid markup; however, this could include sensitive configuration files, secrets, or other templates that contain embedded Liquid tags. The vulnerability does not allow arbitrary code execution or file writing, but information disclosure can lead to further compromise [2].
The issue is patched in Python Liquid version 2.2.0, which adds a check for template_path.is_absolute() in the loader's resolve_path method. Users unable to upgrade can implement a custom loader that overrides resolve_path to reject absolute paths, as described in the advisory [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-liquidPyPI | < 2.2.0 | 2.2.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
2- Foxconn Attack Highlights Manufacturing's Cyber CrisisDark Reading · May 14, 2026
- North Korea Blamed for $290m KelpDAO Crypto HeistInfosecurity Magazine · Apr 21, 2026