DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XCX6-VP38-8HR5: GHSA-xcx6-vp38-8hr5: Uncontrolled Recursion leading to Denial of Service in Scriban

#security #cve #cybersecurity #ghsa

GHSA-xcx6-vp38-8hr5: Uncontrolled Recursion leading to Denial of Service in Scriban

Vulnerability ID: GHSA-XCX6-VP38-8HR5
CVSS Score: 7.5
Published: 2026-03-24

Scriban versions prior to 7.0.0 suffer from an uncontrolled recursion vulnerability within the object.to_json built-in function. By passing a specially crafted self-referencing or deeply nested object to this function, an attacker can trigger an infinite recursive loop. This exhausts the execution stack, resulting in an uncatchable StackOverflowException that immediately terminates the hosting .NET process.

TL;DR

Scriban < 7.0.0 allows unauthenticated attackers to crash the host application via a StackOverflowException by piping deeply nested or self-referencing objects to the object.to_json function. This results in a complete Denial of Service. The issue is fixed in version 7.0.0.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Uncontrolled Recursion (CWE-674)
  • Affected Component: object.to_json (Scriban.Functions.ObjectFunctions)
  • CVSS Score: 7.5 (High)
  • Impact: Denial of Service (Unrecoverable Process Crash)
  • Attack Vector: Network / Arbitrary Template Input
  • Exploitation Status: Proof-of-Concept Available
  • Authentication Required: None

Affected Systems

  • Scriban scripting engine versions prior to 7.0.0
  • Any .NET application rendering user-supplied Scriban templates using default context
  • Scriban: < 7.0.0 (Fixed in: 7.0.0)

Mitigation Strategies

  • Upgrade the Scriban package to version 7.0.0 or higher.
  • Explicitly remove the object.to_json function from the Scriban TemplateContext.
  • Isolate template rendering components into dedicated processes or containers to contain fatal crashes.

Remediation Steps:

  1. Identify all projects in the solution referencing the Scriban NuGet package.
  2. Update the package reference in the .csproj file to 7.0.0.
  3. Recompile and deploy the updated application.
  4. If upgrading is blocked, modify the application code to manipulate the TemplateContext and deregister object.to_json.

References

Read the full report for GHSA-XCX6-VP38-8HR5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)