How severe is GHSA-wgh7-7m3c-fx25?

GHSA-wgh7-7m3c-fx25 has a CVSS score of 7.5/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-wgh7-7m3c-fx25?

GHSA-wgh7-7m3c-fx25 affects the following packages: scriban (NuGet). Ecosystems affected: NuGet.

How do I fix GHSA-wgh7-7m3c-fx25?

Update scriban to 6.6.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wgh7-7m3c-fx25 is resolved across your whole dependency graph.

How do I detect GHSA-wgh7-7m3c-fx25 in my NuGet dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for scriban. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-wgh7-7m3c-fx25 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-wgh7-7m3c-fx25?

O3 pinpoints whether GHSA-wgh7-7m3c-fx25 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-wgh7-7m3c-fx25 actively exploited in the wild?

No public exploit code has been indexed for GHSA-wgh7-7m3c-fx25 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-wgh7-7m3c-fx25 published, and has it been updated?

GHSA-wgh7-7m3c-fx25 was published on March 19, 2026 and was last updated on March 20, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

.NET NuGet

GHSA-wgh7-7m3c-fx25

HIGH

Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service)

Published

Mar 19, 2026

Updated

Mar 20, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

.NETscriban

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.

Description

Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a StackOverflowException. In .NET, a StackOverflowException cannot be caught by standard try-catch blocks, resulting in the immediate and ungraceful termination of the entire hosting process.

Scriban utilizes a recursive-descent parser to process template expressions. While the library exposes an ExpressionDepthLimit property in its ParserOptions, this property defaults to null (disabled).

If an application accepts user-supplied templates (or dynamically constructs templates from untrusted input), an attacker can supply thousands of nested parentheses or blocks. As the parser recursively evaluates each nested layer, it consumes thread stack space until it exceeds the limits of the host OS, triggering a fatal crash.

Impact

An attacker can supply crafted input that triggers a StackOverflowException, causing immediate termination of the hosting process and resulting in a Denial of Service. In applications that process untrusted or user-controlled templates (e.g., web applications or APIs), this can be exploited remotely without authentication. The failure is not recoverable, requiring a full process restart and leading to service disruption.

Proof of Concept (PoC)

The following C# code demonstrates the vulnerability. Executing this code will immediately terminate the application process.

using Scriban;

// Creates a deeply nested expression: (((( ... (1) ... ))))
string nested = new string('(', 10000) + "1" + new string(')', 10000);

try {
  // This will crash the entire process immediately
  Scriban.Template.Parse("{{ " + nested + " }}");
} catch (Exception ex) {
  // This catch block will never execute because StackOverflowException
  Console.WriteLine("Caught exception: " + ex.Message);
}

Suggested Remediation

Update the ParserOptions constructor (or the internal parser initialization) to set a default value for ExpressionDepthLimit. A limit of 1000 (or even lower, such as 250 or 500) is generally more than enough for legitimate templates while safely preventing stack exhaustion.

public int? ExpressionDepthLimit { get; set; } = 250;

Alternatively, document the risk heavily and warn developers to manually set ExpressionDepthLimit if evaluating untrusted templates, though a secure-by-default approach is strongly preferred.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
.NETNuGet	`scriban`	all versions	6.6.0

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for scriban. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update scriban to 6.6.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wgh7-7m3c-fx25 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-wgh7-7m3c-fx25 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-wgh7-7m3c-fx25. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a `StackOverflowException`. In .NET, a `StackOverflowException` cannot be caught by standard `try-catch` blocks, resulting in the immediate and ungraceful termination of the entire hosting process. Scriban utilizes a recursive-descent parser to process template expressions. While the library exposes an `ExpressionDepthLimit` p

O3 Security · Impact-Aware SCA

Is GHSA-wgh7-7m3c-fx25 in your dependencies?

O3 detects GHSA-wgh7-7m3c-fx25 across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works