CVE-2026-39412

Name of the Vulnerable Software and Affected Versions: LiquidJS versions prior to 10.25.4

Description: LiquidJS is a template engine. A bypass exists in the sort natural filter regarding the ownPropertyOnly security option. This allows template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary are vulnerable to information disclosure of sensitive prototype properties, such as API keys and tokens. The sort natural function (lines 40-48 in src/filters/array.ts) accesses object properties directly, bypassing the hasOwnProperty check used in other parts of the codebase when ownPropertyOnly is enabled. A proof-of-concept demonstrates that the sort natural filter can be used to reveal the order of prototype-inherited properties, allowing an attacker to extract secrets character-by-character through binary search.

Recommendations: Update to LiquidJS version 10.25.4 or later.