Liquidjs
Products
2- Liquidjs15 CVEsnpm
- 9 CVEs
Recent CVEs
24| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45618 | cri | 0.52 | — | 0.00 | May 27, 2026 | ### Summary It is possible to execute arbitrary code with crafted templates ### Details `1|valueOf` -> `this` when evaluating the filter ```liquid {%assign r=1|valueOf%} {{r|inspect}} ``` ```json {"context":{"scopes":[{"r":"[Circular]"}],"re… | ||
| CVE-2026-45357 | hig | 0.45 | — | 0.00 | May 27, 2026 | ## Summary The `date` filter's strftime implementation parses width specifiers like `%9999999d` and forwards the captured width unchecked into `pad()`/`padStart()` in `src/util/underscore.ts`. The pad loop performs unbounded string concatenation without consulting the Context's… | ||
| CVE-2026-41311 | Hig | 0.42 | 7.5 | 0.00 | May 9, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with… | ||
| CVE-2026-39859 | Hig | 0.42 | 7.5 | 0.00 | Apr 8, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance… | ||
| CVE-2026-35525 | Hig | 0.42 | 7.5 | 0.00 | Apr 8, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is… | ||
| CVE-2026-45617 | hig | 0.38 | — | 0.00 | May 27, 2026 | ## Summary The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `<script`, `<style`, or `<!--` opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the… | ||
| CVE-2026-39412 | Med | 0.27 | 5.3 | 0.00 | Apr 8, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting… | ||
| CVE-2026-34166 | Low | 0.17 | 3.7 | 0.01 | Apr 8, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to… | ||
| CVE-2021-43397 | 0.01 | — | 0.04 | Nov 11, 2021 | LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin. | |||
| CVE-2026-12673 | 0.00 | — | 0.00 | Jun 20, 2026 | Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary (non-default) group. | |||
| CVE-2026-44646 | 0.00 | — | 0.00 | May 27, 2026 | ## Summary `Context.spawn()` in liquidjs creates a child `Context` for the `{% render %}` tag but does not propagate the parent context's resolved `ownPropertyOnly` value. The new context re-derives `ownPropertyOnly` from `opts.ownPropertyOnly` (the instance-level option),… | |||
| CVE-2026-44645 | 0.00 | — | 0.00 | May 27, 2026 | ## Summary The `renderLimit` option — documented in `docs/source/tutorials/dos.md` as the mechanism that "mitigates this by limiting the time consumed by each render() call" — can be fully bypassed by a `{% for %}` (or `{% tablerow %}`) tag whose body is empty. The… | |||
| CVE-2026-44644 | 0.00 | — | 0.00 | May 27, 2026 | ## Summary The `strip_html` filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (`<.*?>`) does not match line terminators, so any HTML tag containing a… | |||
| CVE-2026-33285 | 0.00 | — | 0.00 | Mar 26, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate… | |||
| CVE-2026-33287 | 0.00 | — | 0.00 | Mar 26, 2026 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only… | |||
| CVE-2026-30952 | 0.00 | — | 0.01 | Mar 10, 2026 | liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials:… | |||
| CVE-2025-56132 | 0.00 | — | 0.01 | Sep 30, 2025 | LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts.… | |||
| CVE-2025-46094 | 0.00 | — | 0.01 | Aug 4, 2025 | LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript. | |||
| CVE-2025-46093 | 0.00 | — | 0.01 | Aug 4, 2025 | LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration. | |||
| CVE-2023-4393 | 0.00 | — | 0.00 | Oct 29, 2023 | HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization. |
- risk 0.52cvss —epss 0.00
### Summary It is possible to execute arbitrary code with crafted templates ### Details `1|valueOf` -> `this` when evaluating the filter ```liquid {%assign r=1|valueOf%} {{r|inspect}} ``` ```json {"context":{"scopes":[{"r":"[Circular]"}],"re…
- risk 0.45cvss —epss 0.00
## Summary The `date` filter's strftime implementation parses width specifiers like `%9999999d` and forwards the captured width unchecked into `pad()`/`padStart()` in `src/util/underscore.ts`. The pad loop performs unbounded string concatenation without consulting the Context's…
- risk 0.42cvss 7.5epss 0.00
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with…
- risk 0.42cvss 7.5epss 0.00
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance…
- risk 0.42cvss 7.5epss 0.00
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is…
- risk 0.38cvss —epss 0.00
## Summary The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `<script`, `<style`, or `<!--` opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the…
- risk 0.27cvss 5.3epss 0.00
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting…
- risk 0.17cvss 3.7epss 0.01
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to…
- CVE-2021-43397Nov 11, 2021risk 0.01cvss —epss 0.04
LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin.
- CVE-2026-12673Jun 20, 2026risk 0.00cvss —epss 0.00
Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary (non-default) group.
- CVE-2026-44646May 27, 2026risk 0.00cvss —epss 0.00
## Summary `Context.spawn()` in liquidjs creates a child `Context` for the `{% render %}` tag but does not propagate the parent context's resolved `ownPropertyOnly` value. The new context re-derives `ownPropertyOnly` from `opts.ownPropertyOnly` (the instance-level option),…
- CVE-2026-44645May 27, 2026risk 0.00cvss —epss 0.00
## Summary The `renderLimit` option — documented in `docs/source/tutorials/dos.md` as the mechanism that "mitigates this by limiting the time consumed by each render() call" — can be fully bypassed by a `{% for %}` (or `{% tablerow %}`) tag whose body is empty. The…
- CVE-2026-44644May 27, 2026risk 0.00cvss —epss 0.00
## Summary The `strip_html` filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (`<.*?>`) does not match line terminators, so any HTML tag containing a…
- CVE-2026-33285Mar 26, 2026risk 0.00cvss —epss 0.00
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate…
- CVE-2026-33287Mar 26, 2026risk 0.00cvss —epss 0.00
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only…
- CVE-2026-30952Mar 10, 2026risk 0.00cvss —epss 0.01
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials:…
- CVE-2025-56132Sep 30, 2025risk 0.00cvss —epss 0.01
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts.…
- CVE-2025-46094Aug 4, 2025risk 0.00cvss —epss 0.01
LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript.
- CVE-2025-46093Aug 4, 2025risk 0.00cvss —epss 0.01
LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.
- CVE-2023-4393Oct 29, 2023risk 0.00cvss —epss 0.00
HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization.