CVE-2026-39412: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in harttle liquidjs
A vulnerability in LiquidJS versions prior to 10. 25. 4 allows template authors to bypass the ownPropertyOnly security option via the sort_natural filter. This enables unauthorized exposure of sensitive prototype-inherited properties, such as API keys and tokens, through a sorting side-channel attack. The issue is fixed in version 10. 25. 4.
AI Analysis
Technical Summary
LiquidJS, a JavaScript template engine compatible with Shopify and GitHub Pages, has a vulnerability (CVE-2026-39412) in versions before 10.25.4. The sort_natural filter does not respect the ownPropertyOnly security option, allowing extraction of prototype-inherited property values. This can lead to information disclosure in applications relying on ownPropertyOnly: true as a security boundary, such as multi-tenant template systems. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information).
Potential Impact
The vulnerability allows unauthorized actors to access sensitive information, including prototype-inherited properties like API keys and tokens, which should be protected by the ownPropertyOnly option. This exposure can compromise confidentiality in affected applications. The CVSS score is 5.3 (medium severity), indicating a moderate impact with no integrity or availability effects.
Mitigation Recommendations
Upgrade LiquidJS to version 10.25.4 or later, where this vulnerability is fixed. Since no official patch link or advisory is provided, users should verify the update availability from the official harttle LiquidJS repository or distribution channels. Patch status is not yet confirmed by vendor advisory; check vendor sources for current remediation guidance.
CVE-2026-39412: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in harttle liquidjs
Description
A vulnerability in LiquidJS versions prior to 10. 25. 4 allows template authors to bypass the ownPropertyOnly security option via the sort_natural filter. This enables unauthorized exposure of sensitive prototype-inherited properties, such as API keys and tokens, through a sorting side-channel attack. The issue is fixed in version 10. 25. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LiquidJS, a JavaScript template engine compatible with Shopify and GitHub Pages, has a vulnerability (CVE-2026-39412) in versions before 10.25.4. The sort_natural filter does not respect the ownPropertyOnly security option, allowing extraction of prototype-inherited property values. This can lead to information disclosure in applications relying on ownPropertyOnly: true as a security boundary, such as multi-tenant template systems. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information).
Potential Impact
The vulnerability allows unauthorized actors to access sensitive information, including prototype-inherited properties like API keys and tokens, which should be protected by the ownPropertyOnly option. This exposure can compromise confidentiality in affected applications. The CVSS score is 5.3 (medium severity), indicating a moderate impact with no integrity or availability effects.
Mitigation Recommendations
Upgrade LiquidJS to version 10.25.4 or later, where this vulnerability is fixed. Since no official patch link or advisory is provided, users should verify the update availability from the official harttle LiquidJS repository or distribution channels. Patch status is not yet confirmed by vendor advisory; check vendor sources for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T00:23:30.595Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6b1991cc7ad14daa7cb9f
Added to database: 4/8/2026, 7:50:49 PM
Last enriched: 4/16/2026, 12:22:10 PM
Last updated: 5/23/2026, 5:50:50 PM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.