CVE-2026-39412

MEDIUM 5.3

LiquidJS has an ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

8th

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.

CWE	CWE-200
Vendor	harttle
Product	liquidjs
Published	Apr 8, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for harttle liquidjs

Be the first to know when new medium vulnerabilities affecting harttle liquidjs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

harttle / liquidjs

< 10.25.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv github.com: https://github.com/harttle/liquidjs/pull/869 github.com: https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce github.com: https://github.com/harttle/liquidjs/releases/tag/v10.25.4