GHSA-7jvp-hj45-2f2m: Scriban Template Writes to Arbitrary CLR Properties via TypedObjectAccessor
Vulnerability ID: GHSA-7JVP-HJ45-2F2M
CVSS Score: 7.7
Published: 2026-07-06
An improper access control and mass assignment vulnerability in Scriban allows templates to write to arbitrary, restricted CLR properties (including private, internal, and init-only properties) of context-bound objects, causing unexpected state mutations on the host application heap.
TL;DR
Scriban dynamically resolves and modifies restricted C# object properties (private, internal, init) within templates, bypassing language-level access controls and enabling mass assignment attacks.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-284, CWE-915
- Attack Vector: Network / Context Template Injection
- CVSS v4 Score: 7.7
- Exploit Status: poc
- CISA KEV Status: Not Listed
- Impact: Improper Access Control / State Mutation
Affected Systems
- Scriban Template Engine
-
Scriban: <= 7.2.1 (Fixed in:
7.2.2)
Mitigation Strategies
- Upgrade Scriban NuGet package to version 7.2.2 or later
- Implement a strict, custom MemberFilter to restrict write operations
- Avoid binding untrusted or multi-use CLR objects directly to the template context
Remediation Steps:
- Identify all applications using Scriban <= 7.2.1
- Update the package reference in .csproj to 7.2.2
- Verify all Custom MemberFilters are configured correctly
- Audit templates for assignments targeting internal fields
References
- GitHub Security Advisory
- .NET API Documentation - PropertyInfo.SetValue Reference
- C# Language Specification - Init Accessors
- CWE-915 Reference
- CWE-284 Reference
Read the full report for GHSA-7JVP-HJ45-2F2M on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)