Platform
nodejs
Component
liquidjs
Fixed in
10.25.1
10.25.0
CVE-2026-30952 describes a Path Traversal vulnerability discovered in liquidjs, a JavaScript templating engine. This vulnerability allows attackers to potentially read arbitrary files on the server by manipulating template content or filepaths. The vulnerability impacts versions of liquidjs before 10.25.0 and has been resolved with the release of version 10.25.0.
The core of the vulnerability lies in liquidjs's handling of file paths within its layout, render, and include tags. The require.resolve() function is used as a fallback mechanism, but it lacks sufficient restrictions on the directories it can resolve. This allows an attacker, particularly if they can control template content or specify filepaths via Liquid variables (requiring dynamicPartials: true, which is the default setting), to craft malicious requests that access files outside of the intended template directory. Successful exploitation could lead to the disclosure of sensitive configuration files, source code, or other critical data stored on the server. The blast radius extends to any application utilizing liquidjs with vulnerable configurations.
CVE-2026-30952 was publicly disclosed on 2026-03-10. There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to the application's template rendering process. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30952 is to upgrade to liquidjs version 10.25.0 or later, which addresses the root cause of the vulnerability. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) or proxy rules to filter requests containing suspicious file paths or patterns within the layout, render, and include tags. Carefully review and sanitize any user-supplied input used in template rendering to prevent malicious file path manipulation. Disable dynamicPartials: true if it is not essential for your application’s functionality. After upgrading, confirm the fix by attempting to access arbitrary files via the vulnerable tags and verifying that access is denied.
Update the version of liquidjs to 10.25.0 or higher. This corrects the path traversal vulnerability that allows access to arbitrary files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30952 is a Path Traversal vulnerability affecting liquidjs versions prior to 10.25.0. It allows attackers to potentially read arbitrary files on the server by manipulating template content or filepaths.
You are affected if you are using liquidjs versions earlier than 10.25.0 and your application allows user control over template content or filepaths, especially if dynamicPartials: true is enabled.
Upgrade to liquidjs version 10.25.0 or later. Consider WAF rules or disabling dynamicPartials: true as temporary mitigations.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-30952, but the vulnerability's nature makes it potentially exploitable.
Refer to the liquidjs GitHub repository for updates and advisories: https://github.com/harttle/liquidjs
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.