Vulnerability	Vulnerable Version
M Directory Traversal liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Directory Traversal via the `renderFile()` or `parseFile()` functions that fail to enforce `root` boundry. An attacker can access arbitrary files on the server by supplying crafted file paths that bypass the intended root directory restrictions. How to fix Directory Traversal? Upgrade `liquidjs` to version 10.25.5 or higher.	<10.25.5
M Improperly Implemented Security Check for Standard liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard via the `sort_natural` and `sort` filters, which bypass the `iownPropertyOnly` security option by accessing prototype-inherited properties even when a security option is enabled. An attacker can extract sensitive information from prototype properties by manipulating the sorting process to reveal the values through side-channel analysis. How to fix Improperly Implemented Security Check for Standard? Upgrade `liquidjs` to version 10.25.4 or higher.	<10.25.4

Directory Traversal

liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.

Affected versions of this package are vulnerable to Directory Traversal via the renderFile() or parseFile() functions that fail to enforce root boundry. An attacker can access arbitrary files on the server by supplying crafted file paths that bypass the intended root directory restrictions.

How to fix Directory Traversal?

Upgrade liquidjs to version 10.25.5 or higher.

<10.25.5

Improperly Implemented Security Check for Standard

liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.

Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard via the sort_natural and sort filters, which bypass the iownPropertyOnly security option by accessing prototype-inherited properties even when a security option is enabled. An attacker can extract sensitive information from prototype properties by manipulating the sorting process to reveal the values through side-channel analysis.

How to fix Improperly Implemented Security Check for Standard?

Upgrade liquidjs to version 10.25.4 or higher.

<10.25.4

Go back to all versions of this package