LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read

Description

liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary.

The published npm package [email protected] on Linux 6.17.0 with Node v22.22.1.

Recommendation

Update the liquidjs package to the latest compatible version. Followings are version details:

• Affected version(s): <= 10.25.4
• Patched version(s): 10.25.5

References

• GHSA-v273-448j-v4qj
• CVE-2026-39859
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
• SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user - CVE-2026-34524
• LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates - CVE-2026-35525
• Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - CVE-2026-39363

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

liquidjs