CVE-2026-30952

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.25.0

Description The layout, render, and include tags are susceptible to arbitrary file access through absolute paths. This can occur when paths are provided as string literals or through Liquid variables, particularly when dynamicPartials: true is enabled. This allows malicious users who can control template content or specify filepaths within Liquid variables to potentially access sensitive files. The issue involves the use of the fs module and its default implementation, which can be bypassed to access files outside of the intended directory structure. The fs.fallback function is a key component in this issue.

Recommendations Update to LiquidJS version 10.25.0 or later. As a temporary workaround, modify the dist/liquid.node.js file to include additional checks within the fs.fallback function to ensure that filepaths are contained within allowed directories. Override the default fs implementation with a custom implementation that restricts file access to authorized locations.