CVE-2026-39412
Prototype Pollution Side-Channel in LiquidJS sort_natural Filter
Publication date: 2026-04-08
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liquidjs | liquidjs | to 10.25.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39412 is a security vulnerability in the LiquidJS templating engine where the `sort` and `sort_natural` filters bypass the `ownPropertyOnly` security option. This option is designed to restrict access to only an object's own properties and prevent access to prototype-inherited properties.
Because these filters accessed properties directly without checking if they were own properties, they allowed template authors to extract values from prototype-inherited properties through a sorting side-channel attack.
This means that sensitive data such as API keys or tokens stored on an object's prototype could be leaked by observing the sorted order of objects, effectively bypassing the intended security boundary.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information in applications using LiquidJS with the `ownPropertyOnly: true` security option, especially in multi-tenant or untrusted template environments.
Attackers can exploit the flaw by crafting templates that use the `sort` or `sort_natural` filters to infer or extract prototype-inherited sensitive properties such as API keys, tokens, or passwords through side-channel analysis of the sorted output.
The impact is an information disclosure with a moderate severity (CVSS 5.3), which could compromise confidentiality without requiring any privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the behavior of the LiquidJS templating engine when using the `sort` or `sort_natural` filters with the `ownPropertyOnly: true` security option enabled.
A practical detection method involves creating test templates that attempt to access prototype-inherited properties through sorting operations and observing if sensitive data is leaked via the sorted output.
For example, you can craft a template that sorts objects containing prototype properties (such as a secret API key) using the `sort_natural` filter and check if the sorted order reveals information about those properties.
There are no specific network or system commands provided in the resources to detect this vulnerability automatically.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the LiquidJS package to version 10.25.4 or later, where this vulnerability has been fixed.
The fix ensures that the `sort` and `sort_natural` filters respect the `ownPropertyOnly` security option by using the internal `_getFromScope` method for property access, preventing prototype chain traversal and sensitive data leakage.
If upgrading is not immediately possible, consider restricting or disabling the use of the `sort` and `sort_natural` filters in templates, especially in multi-tenant or untrusted template environments.
Additionally, review template usage policies to ensure that untrusted users cannot supply templates that exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized disclosure of sensitive prototype-inherited properties such as API keys and tokens in applications using LiquidJS with the ownPropertyOnly security option enabled. Such information disclosure can lead to exposure of sensitive data that may be protected under common standards and regulations like GDPR and HIPAA.
Applications relying on LiquidJS for multi-tenant or untrusted template environments could inadvertently leak confidential information due to this vulnerability, potentially resulting in non-compliance with data protection requirements that mandate safeguarding sensitive information from unauthorized access.
By allowing side-channel attacks to extract sensitive data, this vulnerability undermines the security boundaries intended to prevent unauthorized data access, which is critical for compliance with regulations that require strict control over personal and sensitive data.