CVE-2026-39859

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.25.3

Description LiquidJS is a template engine compatible with Shopify and GitHub Pages. Prior to version 10.25.3, the software does not properly enforce root directory constraints when handling file loads. A Liquid instance configured with an empty temporary directory as the root can return the contents of arbitrary files. This occurs because top-level file loads do not enforce the same boundary checks as renderFile() and parseFile(). The issue resides in the file loading APIs, specifically within src/parser/parser.ts and src/fs/loader.ts. The vulnerability allows an attacker to disclose arbitrary local files readable by the server process by exploiting the lack of containment checks for LookupType.Root. The proof of concept demonstrates successful rendering of /etc/hosts when root is set to an empty directory.

Recommendations Update to LiquidJS version 10.25.3 or later.