liquidjs
npm12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting liquidjspage 1 of 1
- CVE-2022-25948MEDIUMCVSS 5.3EG 5.3✓ Fixed in 10.0.02022-12-22
The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable t…
- CVE-2026-34166LOWCVSS 3.7EG 3.7✓ Fixed in 10.25.32026-04-08
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + patt…
- CVE-2026-35525HIGHCVSS 7.5EG 7.5✓ Fixed in 10.25.32026-04-08
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layout…
- CVE-2026-39412MEDIUMCVSS 5.3EG 5.3✓ Fixed in 10.25.42026-04-08
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited …
- CVE-2026-39859HIGHCVSS 7.5EG 7.5✓ Fixed in 10.25.52026-04-08
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce…
- CVE-2026-41311HIGHCVSS 7.5EG 7.5✓ Fixed in 10.25.72026-05-09
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB)…
- CVE-2026-44644MEDIUMCVSS 6.1EG 6.12026-05-27
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags…
- CVE-2026-44645MEDIUMCVSS 6.5EG 6.52026-05-27
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The renderLim…
- CVE-2026-44646MEDIUMCVSS 5.3EG 5.32026-05-27
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn() creates a child Context for the {% render %} tag but does not propagate the parent context's resolved …
- CVE-2026-45357HIGHCVSS 7.5EG 7.52026-05-27
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unche…
- CVE-2026-45617HIGHCVSS 7.5EG 7.5✓ Fixed in 10.26.02026-05-27
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via …
- CVE-2026-45618CRITICALCVSS 10.0EG 10.0✓ Fixed in 10.26.02026-05-27
LiquidJS is Vulnerable to Remote Code Execution ### Summary It is possible to execute arbitrary code with crafted templates ### Details <details> <summary> `1|valueOf` -> `this` when evaluating the filter </summary> ```liquid {%ass…
Check whether liquidjs is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for liquidjs CVEs against the assets you own.
Start Free Scan →