GHSA-5RPF-X9JG-8J5P: Denial of Service via Memory Exhaustion in Scriban
Vulnerability ID: GHSA-5RPF-X9JG-8J5P
CVSS Score: 7.5
Published: 2026-03-19
The Scriban scripting engine is vulnerable to a Denial of Service (DoS) attack due to uncontrolled memory consumption. Attackers can execute specially crafted templates that trigger exponential string growth, leading to immediate heap memory exhaustion and process termination.
TL;DR
Scriban lacks default safe limits on string generation and object recursion. An attacker can use a simple loop within a template to generate gigabytes of string data in memory, causing an Out-of-Memory (OOM) crash.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400
- Attack Vector: Network
- CVSS v3.1 Score: 7.5
- Impact: Denial of Service (DoS)
- Exploit Status: Proof of Concept Available
- Authentication Required: None
Affected Systems
- Scriban NuGet package (< 5.12.1)
-
Scriban: < 5.12.1 (Fixed in:
5.12.1)
Code Analysis
Commit: a6fe607
Introduced default limits to ParserOptions and TemplateContext to mitigate resource exhaustion.
Exploit Details
- Research Advisory: Iterative loop string concatenation proof-of-concept achieving OOM in 30 iterations.
Mitigation Strategies
- Implement hard limits on string length during template rendering.
- Restrict maximum loop iterations in the execution context.
- Validate and sanitize user-provided templates before execution.
Remediation Steps:
- Update the Scriban NuGet package to version 5.12.1, 6.5.7, or later.
- Instantiate TemplateContext with explicit resource limits.
- Set context.LimitToString to a safe ceiling (e.g., 1048576 for 1MB).
- Lower context.LoopLimit from the default 1000 to a restrictive value appropriate for the application.
References
Read the full report for GHSA-5RPF-X9JG-8J5P on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)