LiquidJS Prototype Property Access Vulnerability in Sort Filters

A vulnerability in LiquidJS versions prior to 10.25.4 allows the sort_natural filter to bypass the ownPropertyOnly security option. This flaw enables template authors to access values of prototype-inherited properties through a sorting side-channel attack. Applications that depend on ownPropertyOnly: true as a security measure, such as multi-tenant template systems, risk disclosing sensitive prototype properties like API keys and tokens. The issue arises because the sort_natural and sort filters directly access object properties via bracket notation, which traverses the prototype chain, instead of using a method that respects the ownPropertyOnly option.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive prototype-inherited properties, such as API keys and tokens, from context objects in LiquidJS templates.

Reproduction

The vulnerability can be reproduced by creating a LiquidJS engine instance with ownPropertyOnly set to true. Then, define an object with a prototype-inherited property, such as an API key. When the sort_natural filter is applied to an array of objects, including the one with the prototype property, the filter will bypass the ownPropertyOnly check and allow access to the sensitive information.

Remediation

Users should update to LiquidJS version 10.25.4 or later, where this vulnerability has been fixed.