Plattform
nodejs
Komponente
liquidjs
Behoben in
10.25.1
10.25.0
CVE-2026-30952 describes a Path Traversal vulnerability discovered in liquidjs, a JavaScript templating engine. This vulnerability allows attackers to potentially read arbitrary files on the server by manipulating template content or filepaths. The vulnerability impacts versions of liquidjs before 10.25.0 and has been resolved with the release of version 10.25.0.
The core of the vulnerability lies in liquidjs's handling of file paths within its layout, render, and include tags. The require.resolve() function is used as a fallback mechanism, but it lacks sufficient restrictions on the directories it can resolve. This allows an attacker, particularly if they can control template content or specify filepaths via Liquid variables (requiring dynamicPartials: true, which is the default setting), to craft malicious requests that access files outside of the intended template directory. Successful exploitation could lead to the disclosure of sensitive configuration files, source code, or other critical data stored on the server. The blast radius extends to any application utilizing liquidjs with vulnerable configurations.
CVE-2026-30952 was publicly disclosed on 2026-03-10. There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to the application's template rendering process. The vulnerability is not currently listed on the CISA KEV catalog.
Applications built on Node.js that utilize liquidjs for templating, particularly those with default configurations enabling dynamicPartials: true or allowing user-controlled template content, are at risk. Shared hosting environments where multiple applications share the same server and file system are also particularly vulnerable, as a compromise in one application could potentially lead to access to files belonging to others.
• nodejs / server:
ps aux | grep liquidjs
find / -name "liquidjs" -type d 2>/dev/null• generic web:
curl -I 'http://your-application.com/templates/include?file=../../../../etc/passwd' # Attempt to access sensitive files
grep -r 'require.resolve' /path/to/your/application/node_modules/liquidjs/disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-30952 is to upgrade to liquidjs version 10.25.0 or later, which addresses the root cause of the vulnerability. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) or proxy rules to filter requests containing suspicious file paths or patterns within the layout, render, and include tags. Carefully review and sanitize any user-supplied input used in template rendering to prevent malicious file path manipulation. Disable dynamicPartials: true if it is not essential for your application’s functionality. After upgrading, confirm the fix by attempting to access arbitrary files via the vulnerable tags and verifying that access is denied.
Actualice la versión de liquidjs a la 10.25.0 o superior. Esto corrige la vulnerabilidad de path traversal que permite el acceso a archivos arbitrarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-30952 is a Path Traversal vulnerability affecting liquidjs versions prior to 10.25.0. It allows attackers to potentially read arbitrary files on the server by manipulating template content or filepaths.
You are affected if you are using liquidjs versions earlier than 10.25.0 and your application allows user control over template content or filepaths, especially if dynamicPartials: true is enabled.
Upgrade to liquidjs version 10.25.0 or later. Consider WAF rules or disabling dynamicPartials: true as temporary mitigations.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-30952, but the vulnerability's nature makes it potentially exploitable.
Refer to the liquidjs GitHub repository for updates and advisories: https://github.com/harttle/liquidjs
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.