CVE-2026-30952 Overview
CVE-2026-30952 is a Path Traversal vulnerability affecting LiquidJS, a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Prior to version 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths. This can occur either as string literals or through Liquid variables, with the latter requiring the dynamicPartials: true setting (which is enabled by default).
Critical Impact
Attackers who control template content or can specify the filepath as a Liquid variable can read arbitrary files from the server filesystem, potentially exposing sensitive configuration files, credentials, and application source code.
Affected Products
- LiquidJS versions prior to 10.25.0
- Applications using LiquidJS with user-controlled template content
- Systems with dynamicPartials: true (default setting) allowing variable-based file paths
Discovery Timeline
- 2026-03-10 - CVE-2026-30952 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30952
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in LiquidJS's handling of file paths within the layout, render, and include template tags. When processing these tags, the template engine does not properly validate or sanitize the provided file paths, allowing attackers to traverse outside the intended template directory using absolute paths.
The vulnerability is particularly dangerous in scenarios where users have any level of control over template content or can influence the filepath parameter passed to these tags. Since dynamicPartials: true is the default configuration, many installations are vulnerable out of the box when accepting user-supplied Liquid variables for file inclusion.
Root Cause
The root cause lies in insufficient path validation within LiquidJS's file resolution logic. The template engine fails to restrict file access to the designated template root directory when absolute paths are provided. This allows the layout, render, and include tags to resolve paths that point anywhere on the filesystem, bypassing intended directory boundaries. The lack of path canonicalization and boundary checks enables attackers to read sensitive files outside the template directory.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker needs to either control the template content being processed by LiquidJS or be able to specify a Liquid variable that gets used as a file path in layout, render, or include tags.
When exploited, the attacker crafts a malicious template or variable containing an absolute filesystem path (such as /etc/passwd on Linux systems or other sensitive configuration files). When the template engine processes this input, it reads and potentially renders the contents of the specified file, leading to information disclosure.
The attack requires no user interaction and can be automated against vulnerable applications. Applications that allow user-generated templates or accept user input that influences template file paths are at highest risk.
Detection Methods for CVE-2026-30952
Indicators of Compromise
- Unexpected file access attempts to sensitive system files (e.g., /etc/passwd, /etc/shadow, application configuration files)
- Template rendering errors referencing files outside the expected template directory
- Web application logs showing requests with absolute file paths in template-related parameters
- Suspicious Liquid template content containing absolute paths or path traversal sequences
Detection Strategies
- Monitor application logs for file access requests targeting sensitive directories outside the template root
- Implement web application firewall (WAF) rules to detect and block requests containing absolute paths or path traversal patterns in template-related parameters
- Review application code for instances where user input flows into LiquidJS layout, render, or include tags
- Perform static analysis of templates to identify hardcoded absolute paths
Monitoring Recommendations
- Enable verbose logging for template rendering operations in development and staging environments
- Set up alerts for file access patterns that indicate path traversal attempts
- Monitor for unusual read operations on sensitive system files through endpoint detection solutions
- Implement runtime application self-protection (RASP) to detect and block path traversal attempts
How to Mitigate CVE-2026-30952
Immediate Actions Required
- Upgrade LiquidJS to version 10.25.0 or later immediately
- Audit all applications using LiquidJS to identify instances where user input may control template content or file paths
- Review and restrict template directories to prevent unintended file access
- Consider disabling dynamicPartials if variable-based file inclusion is not required
Patch Information
The vulnerability has been fixed in LiquidJS version 10.25.0. The security patch addresses the path validation issue by properly restricting file access to the configured template root directory. For detailed information about the fix, see the GitHub Security Advisory GHSA-wmfp-5q7x-987x and the associated commit.
Additional technical details are available in Pull Request #851 and Pull Request #855.
Workarounds
- If immediate upgrade is not possible, set dynamicPartials: false to prevent variable-based file path resolution
- Implement input validation at the application layer to reject any template input containing absolute paths
- Configure LiquidJS with a restrictive root option that limits file access to a specific directory
- Use application-level sandboxing to restrict the LiquidJS process's filesystem access permissions
- Deploy a web application firewall with rules specifically targeting path traversal patterns
# Update LiquidJS to patched version
npm update liquidjs@10.25.0
# Or install specific patched version
npm install liquidjs@10.25.0 --save
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
