GHSA-M2P3-HWV5-XPQW: Denial of Service via Unbounded Cumulative Template Output in Scriban
Vulnerability ID: GHSA-M2P3-HWV5-XPQW
CVSS Score: 6.5
Published: 2026-03-24
The Scriban template engine for .NET contains a flaw in its memory allocation limiting logic. An attacker who can supply malicious templates can bypass the LimitToString safety mechanism, causing the engine to allocate excessive memory. This leads to an Out-of-Memory (OOM) condition and subsequent application crash, resulting in a Denial of Service (DoS).
TL;DR
Scriban versions prior to 7.0.0 fail to cumulatively track string allocations across template loops. Attackers can leverage this bypass to allocate gigabytes of memory using default settings, crashing the host .NET application.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network
- Impact: Denial of Service (DoS)
- CVSS v3.1: 6.5 (Moderate)
- Exploit Status: PoC Available
- Privileges Required: Low / None
Affected Systems
- Scriban .NET Template Engine
-
Scriban: < 7.0.0 (Fixed in:
7.0.0)
Mitigation Strategies
- Upgrade the Scriban NuGet dependency to version 7.0.0 or newer.
- Manually override TemplateContext.LimitToString and TemplateContext.LoopLimit to restrictive values in application code.
- Apply container-level memory constraints to prevent full host node exhaustion during an OOM event.
- Implement application-level timeouts for template rendering operations to interrupt long-running allocation loops.
Remediation Steps:
- Identify all projects within the solution utilizing the Scriban NuGet package.
- Update the package reference in the .csproj file to version 7.0.0.
- Recompile and run unit tests to ensure compatibility with the updated engine.
- Deploy the updated application to staging environments for performance validation.
- Promote the patched application to production.
References
Read the full report for GHSA-M2P3-HWV5-XPQW on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)