CVE-2026-35525: LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates

April 8, 2026 (updated April 9, 2026)

LiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.

References

github.com/advisories/GHSA-56p5-8mhr-2fph
github.com/harttle/liquidjs
github.com/harttle/liquidjs/pull/867
github.com/harttle/liquidjs/releases/tag/v10.25.3
github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph
nvd.nist.gov/vuln/detail/CVE-2026-35525

Code Behaviors & Features

Detect and mitigate CVE-2026-35525 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →