Vulnerability Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liquidjs | Liquidjs | < 10.25.4 |
Related Weaknesses (CWE)
References
- https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebePatch
- https://github.com/harttle/liquidjs/pull/869Issue TrackingProduct
- https://github.com/harttle/liquidjs/releases/tag/v10.25.4Release Notes
- https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvvExploitVendor Advisory
- https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvvExploitVendor Advisory
FAQ
What is CVE-2026-39412?
CVE-2026-39412 is a vulnerability with a CVSS score of 5.3 (MEDIUM). LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to...
How severe is CVE-2026-39412?
CVE-2026-39412 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-39412?
Check the references section above for vendor advisories and patch information. Affected products include: Liquidjs Liquidjs.