Volerion logoVolerion
Volerion logoVolerion

LiquidJS Arbitrary File Read Vulnerability

Vulnerability

A vulnerability in LiquidJS versions through 10.25.4 allows arbitrary file reading. The issue arises because top-level file loads do not properly enforce the 'root' directory constraint, which is intended to limit file access. As a result, a Liquid instance with an empty temporary directory as root can be manipulated to read and return the contents of any file accessible to the server process.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of local files, potentially including sensitive information, depending on the application's file access permissions.

Reproduction

To reproduce this vulnerability, create a Liquid instance with an empty temporary directory set as the root. Then, use the 'renderFile' method to request a file outside the root directory, such as '/etc/hosts'. The contents of the requested file will be returned, demonstrating the arbitrary file read capability.

Remediation

Users are advised to update to LiquidJS version 10.25.3 or later, where this vulnerability has been fixed.

Added: Apr 8, 2026, 10:44 PM
Updated: Apr 8, 2026, 10:44 PM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
0.8
exploitability
6.0
remediation
0.0
relevance
5.5
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.