DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-WGH7-7M3C-FX25: GHSA-WGH7-7M3C-FX25: Uncontrolled Recursion leading to Denial of Service in Scriban Parser

#security #cve #cybersecurity #ghsa

GHSA-WGH7-7M3C-FX25: Uncontrolled Recursion leading to Denial of Service in Scriban Parser

Vulnerability ID: GHSA-WGH7-7M3C-FX25
CVSS Score: 7.5
Published: 2026-03-19

The Scriban templating engine prior to version 6.6.0 contains an uncontrolled recursion vulnerability in its recursive-descent parser. Attackers providing maliciously nested templates can trigger a StackOverflowException, resulting in an unrecoverable process crash and complete denial of service.

TL;DR

Scriban versions prior to 6.6.0 fail to enforce default recursion depth limits during template parsing and object evaluation. Deeply nested template syntax exhausts the thread stack, causing the .NET host application to terminate immediately. The vulnerability is remediated in version 6.6.0 by enforcing safe default limits on expression depth, object recursion, and output buffer size.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Uncontrolled Recursion (CWE-674)
  • Attack Vector: Network (Remote)
  • CVSS v3.1 Score: 7.5 (High)
  • Impact: Denial of Service (Process Crash)
  • Authentication Required: None
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Scriban NuGet Package (< 6.6.0)
  • .NET applications utilizing Scriban for template rendering
  • Scriban: < 6.6.0 (Fixed in: 6.6.0)

Code Analysis

Commit: a6fe607

Establish default limits for ExpressionDepthLimit and ObjectRecursionLimit in configuration files

Commit: b5ac4bf

Enforce depth limits directly within EnterExpression and set evaluation buffer size limits

Exploit Details

  • Advisory PoC: Proof of concept demonstrating stack exhaustion via nested parentheses.

Mitigation Strategies

  • Upgrade the Scriban NuGet package to version 6.6.0
  • Manually instantiate ParserOptions with ExpressionDepthLimit set to 250
  • Manually instantiate TemplateContext with ObjectRecursionLimit set to 20 and LimitToString set to 1048576
  • Implement SAST rules to identify template parsing on untrusted user input without explicit depth limits

Remediation Steps:

  1. Identify all projects referencing the Scriban NuGet package
  2. Update package references to version 6.6.0 in the .csproj files
  3. Recompile and run unit tests to ensure the 250 expression depth limit does not break complex legitimate templates
  4. Deploy the updated application build to production environments

References

Read the full report for GHSA-WGH7-7M3C-FX25 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)