Description
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.0.0
- Patched version(s): 10.0.0
References
- GHSA-45rm-2893-5f49
- groups.google.com
- security.snyk.io
- CVE-2022-25948
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- ReDoS Vulnerability in ua-parser-js version - CVE-2022-25927
- node-cube vulnerable to prototype pollution - CVE-2025-57348
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- lite-server vulnerable to Denial of Service - CVE-2022-25940
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on February 02, 2023