LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
- Severity:
- Medium
Description
Context.spawn() in liquidjs creates a child Context for the {% render %} tag but does not propagate the parent context’s resolved ownPropertyOnly value. The new context re-derives ownPropertyOnly from opts.ownPropertyOnly (the instance-level option), silently discarding any RenderOptions.ownPropertyOnly override that was supplied to parseAndRender().
Recommendation
No fix is available yet. Followings are affected versions:
- <= 10.25.7
References
Related Issues
- ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
- LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) - CVE-2026-45357
- LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting sid - CVE-2026-39412
- liquidjs has a Denial of Service via circular block reference in layout - CVE-2026-41311
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on May 27, 2026