# [CRIT] [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Execution **Source:** GitHub Security Advisories **Published:** 2026-05-27 **Article:** https://github.com/advisories/GHSA-gf2q-c269-pqgc ## Threat Profile LiquidJS is Vulnerable to Remote Code Execution ### Summary It is possible to execute arbitrary code with crafted templates ### Details
`1|valueOf` -> `this` when evaluating the filter ```liquid {%assign r=1|valueOf%} {{r|inspect}} ``` ```json {"context":{"scopes":[{"r":"[Circular]"}],"registers":{},"breakCalled":false,"continueCalled":false,"sync":false,"opts":{"root":["."],"layouts":["."],"partials":["."],"relativeReference":true,"jekyllInclude":false,"k… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-45618` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1059** — Command and Scripting Interpreter - **T1059.004** — Unix Shell ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### LiquidJS SSTI gadget tokens in inbound HTTP (CVE-2026-45618) `UC_196_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.src) as src values(Web.http_user_agent) as ua from datamodel=Web.Web where Web.url="*1%7CvalueOf*" OR Web.url="*r.context.scopes*" OR Web.url="*r.liquid.parser*" OR Web.url="*r.liquid.options.fs*" OR Web.url="*assign%20__proto__*" OR Web.url="*getBuiltinModule*" OR Web.url="*child_process*" OR Web.url="*group_by*where*first*last*" by Web.dest Web.http_method Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType in ("InboundConnectionAccepted","ConnectionInbound","ConnectionSuccess") or InitiatingProcessFileName in~ ("node.exe","w3wp.exe","iisexpress.exe") | where RemoteUrl has_any ("1|valueOf","1%7CvalueOf","r.context.scopes","r.liquid.parser","r.liquid.options.fs","assign __proto__","assign%20__proto__","getBuiltinModule","child_process","execSync","fs.readFileSync") or AdditionalFields has_any ("1|valueOf","r.context.scopes","r.liquid.parser","__proto__","getBuiltinModule","child_process") | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, LocalPort, AdditionalFields | order by Timestamp desc ``` ### Node.js web process spawning shell (LiquidJS RCE post-exploit) `UC_196_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name="node.exe" OR Processes.parent_process_name="node" OR Processes.parent_process_name="w3wp.exe") (Processes.process_name="cmd.exe" OR Processes.process_name="powershell.exe" OR Processes.process_name="pwsh.exe" OR Processes.process_name="sh" OR Processes.process_name="bash" OR Processes.process_name="dash" OR Processes.process_name="zsh") by host Processes.dest Processes.process_name Processes.parent_process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node.exe","node","w3wp.exe","iisnode.exe") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","sh","bash","dash","zsh","ksh") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, InitiatingProcessTokenElevation, ProcessIntegrityLevel, SHA256 | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Executio `UC_196_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Executio ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/etc/passwd*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Executio // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/etc/passwd")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-45618` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.