LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates

Severity:: High

Description

LiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.

Recommendation

Update the liquidjs package to the latest compatible version. Followings are version details:

Affected version(s): <= 10.25.2
Patched version(s): 10.25.3

References

GHSA-56p5-8mhr-2fph
CVE-2026-35525
CWE-61
CAPEC-310
OWASP 2021-A6

Related Issues

LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash - CVE-2026-33285
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read - CVE-2026-39859
liquidjs has a Denial of Service via circular block reference in layout - CVE-2026-41311

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; liquidjs

Anything's wrong? Let us know Last updated on April 10, 2026