GHSA-GRR9-747V-XVCP: GHSA-GRR9-747V-XVCP: Uncontrolled Recursion in Scriban Templates Leads to Denial of Service

GHSA-GRR9-747V-XVCP: Uncontrolled Recursion in Scriban Templates Leads to Denial of Service

Vulnerability ID: GHSA-GRR9-747V-XVCP CVSS Score: 7.5 Published: 2026-03-19 Scriban, a .NET text templating engine, is vulnerable to a high-severity denial-of-service (DoS) flaw due to uncontrolled recursion during template parsing and object rendering. The lack of default depth boundaries allows maliciously crafted templates or objects with circular references to exhaust the call stack, causing an unrecoverable process crash. A denial-of-service vulnerability exists in the Scriban .NET templating engine due to missing depth limits for nested expressions and object traversal. Attackers can trigger an uncatchable StackOverflowException, immediately terminating the host process. Mitigation requires updating the package or manually configuring recursion limits. Vulnerability Class: Uncontrolled Recursion (CWE-674) Secondary Class: Uncontrolled Resource Consumption (CWE-400) Attack Vector: Network CVSS v3.1 Base Score: 7.5 (High) Impact: Denial of Service (Process Crash) Exploit Status: Proof of Concept available Privileges Required: None Scriban .NET Templating Engine Any .NET application utilizing vulnerable versions of the Scriban NuGet package Scriban: All versions prior to the March 2026 fix a6fe607

Implement default limits for ObjectRecursionLimit and ExpressionDepthLimit to prevent stack overflow exceptions. Upgrade the Scriban NuGet package to the latest release containing the fix. Manually configure TemplateContext.ObjectRecursionLimit = 20 for all rendering contexts. Manually configure ParserOptions.ExpressionDepthLimit = 250 for all parsing operations. Implement strict validation on user-provided template strings to reject excessively long or complex inputs before they reach the engine. Ensure object graphs constructed from user input do not contain circular references before passing them to the templating engine. Remediation Steps: Identify all projects within the solution referencing the Scriban NuGet package. Update the Scriban dependency to the patched version via the NuGet Package Manager. Run the application's test suite to ensure the new default limits (20 for recursion, 250 for expression depth) do not break legitimate, complex templates. If the update cannot be applied, locate all instances where Template.Parse() and Template.Render() are called. Inject the manual limits into the ParserOptions and TemplateContext configuration objects at initialization. Deploy the updated application and verify that heavily nested templates now result in a generic error response rather than a process crash. GitHub Advisory: GHSA-GRR9-747V-XVCP Official Scriban Repository Fix Commit (a6fe6074199e5c04f4d29dc8d8e652b24d33e3e4) Read the full report for GHSA-GRR9-747V-XVCP on our website for more details including interactive diagrams and full exploit analysis.