DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GRR9-747V-XVCP: GHSA-GRR9-747V-XVCP: Uncontrolled Recursion in Scriban Templates Leads to Denial of Service

#security #cve #cybersecurity #ghsa

GHSA-GRR9-747V-XVCP: Uncontrolled Recursion in Scriban Templates Leads to Denial of Service

Vulnerability ID: GHSA-GRR9-747V-XVCP
CVSS Score: 7.5
Published: 2026-03-19

Scriban, a .NET text templating engine, is vulnerable to a high-severity denial-of-service (DoS) flaw due to uncontrolled recursion during template parsing and object rendering. The lack of default depth boundaries allows maliciously crafted templates or objects with circular references to exhaust the call stack, causing an unrecoverable process crash.

TL;DR

A denial-of-service vulnerability exists in the Scriban .NET templating engine due to missing depth limits for nested expressions and object traversal. Attackers can trigger an uncatchable StackOverflowException, immediately terminating the host process. Mitigation requires updating the package or manually configuring recursion limits.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Uncontrolled Recursion (CWE-674)
  • Secondary Class: Uncontrolled Resource Consumption (CWE-400)
  • Attack Vector: Network
  • CVSS v3.1 Base Score: 7.5 (High)
  • Impact: Denial of Service (Process Crash)
  • Exploit Status: Proof of Concept available
  • Privileges Required: None

Affected Systems

  • Scriban .NET Templating Engine
  • Any .NET application utilizing vulnerable versions of the Scriban NuGet package
  • Scriban: All versions prior to the March 2026 fix

Code Analysis

Commit: a6fe607

Implement default limits for ObjectRecursionLimit and ExpressionDepthLimit to prevent stack overflow exceptions.

Mitigation Strategies

  • Upgrade the Scriban NuGet package to the latest release containing the fix.
  • Manually configure TemplateContext.ObjectRecursionLimit = 20 for all rendering contexts.
  • Manually configure ParserOptions.ExpressionDepthLimit = 250 for all parsing operations.
  • Implement strict validation on user-provided template strings to reject excessively long or complex inputs before they reach the engine.
  • Ensure object graphs constructed from user input do not contain circular references before passing them to the templating engine.

Remediation Steps:

  1. Identify all projects within the solution referencing the Scriban NuGet package.
  2. Update the Scriban dependency to the patched version via the NuGet Package Manager.
  3. Run the application's test suite to ensure the new default limits (20 for recursion, 250 for expression depth) do not break legitimate, complex templates.
  4. If the update cannot be applied, locate all instances where Template.Parse() and Template.Render() are called.
  5. Inject the manual limits into the ParserOptions and TemplateContext configuration objects at initialization.
  6. Deploy the updated application and verify that heavily nested templates now result in a generic error response rather than a process crash.

References

Read the full report for GHSA-GRR9-747V-XVCP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)