Description
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.0.0
- Patched version(s): 10.0.0
References
- GHSA-45rm-2893-5f49
- groups.google.com
- security.snyk.io
- CVE-2022-25948
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- mpregular vulnerable to prototype pollution - CVE-2025-57323
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- lite-server vulnerable to Denial of Service - CVE-2022-25940
- Manifest Uses a One-Way Hash without a Salt - CVE-2025-27408
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on February 02, 2023