GHSA-xw6w-9jjh-p9cr
MEDIUMScriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation
Blast Radius
ScribanReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Scriban's expression evaluation contains three distinct code paths that allow an attacker who can supply a template to cause denial of service through unbounded memory allocation or CPU exhaustion. The existing safety controls (LimitToString, LoopLimit) do not protect these paths, giving applications a false sense of safety when evaluating untrusted templates.
Details
Vector 1: Unbounded string multiplication
In ScriptBinaryExpression.cs, the CalculateToString method handles the string * int operator by looping without any upper bound:
// src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs:319-334
var leftText = context.ObjectToString(left);
var builder = new StringBuilder();
for (int i = 0; i < value; i++)
{
builder.Append(leftText);
}
return builder.ToString();
The LimitToString safety control (default 1MB) does not protect this code path. It only applies to ObjectToString output conversions in TemplateContext.Helpers.cs (lines 101-121), not to intermediate string values constructed inside CalculateToString. The LoopLimit also does not apply because this is a C# for loop, not a template-level loop — StepLoop() is never called here.
Vector 2: Unbounded BigInteger shift left
The CalculateLongWithInt and CalculateBigIntegerNoFit methods handle ShiftLeft without any bound on the shift amount:
// src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs:710-711
case ScriptBinaryOperator.ShiftLeft:
return (BigInteger)left << (int)right;
// src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs:783-784
case ScriptBinaryOperator.ShiftLeft:
return left << (int)right;
In contrast, the Power operator at lines 722 and 795 uses BigInteger.ModPow(left, right, MaxBigInteger) to cap results. The MaxBigInteger constant (BigInteger.One << 1024 * 1024, defined at line 690) already exists but is never applied to shift operations.
Vector 3: LoopLimit bypass via range enumeration in builtin functions
The range operators .. and ..< produce lazy IEnumerable<object> iterators:
// src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs:401-417
private static IEnumerable<object> RangeInclude(BigInteger left, BigInteger right)
{
if (left < right)
{
for (var i = left; i <= right; i++)
{
yield return FitToBestInteger(i);
}
}
// ...
}
When these ranges are consumed by builtin functions, LoopLimit is completely bypassed because StepLoop() is only called in ScriptForStatement and ScriptWhileStatement — it is never called in any function under src/Scriban/Functions/. For example:
ArrayFunctions.Size(line 609) calls.Cast<object>().Count(), fully enumerating the rangeArrayFunctions.Join(line 388) iterates withforeachand appends to aStringBuilderwith no size limit
PoC
Vector 1 — String multiplication OOM:
var template = Template.Parse("{{ 'AAAA' * 500000000 }}");
var context = new TemplateContext();
// context.LimitToString is 1048576 by default — does NOT protect this path
template.Render(context); // OutOfMemoryException: attempts ~2GB allocation
Vector 2 — BigInteger shift OOM:
var template = Template.Parse("{{ 1 << 100000000 }}");
var context = new TemplateContext();
template.Render(context); // Allocates BigInteger with 100M bits (~12.5MB)
// {{ 1 << 2000000000 }} attempts ~250MB
Vector 3 — LoopLimit bypass via range + builtin:
var template = Template.Parse("{{ (0..1000000000) | array.size }}");
var context = new TemplateContext();
// context.LoopLimit is 1000 — does NOT protect builtin function iteration
template.Render(context); // CPU exhaustion: enumerates 1 billion items
var template = Template.Parse("{{ (0..10000000) | array.join ',' }}");
var context = new TemplateContext();
template.Render(context); // Memory exhaustion: builds ~80MB+ joined string
Impact
An attacker who can supply a Scriban template (common in CMS platforms, email templating systems, reporting tools, and other applications embedding Scriban) can cause denial of service by crashing the host process via OutOfMemoryException or exhausting CPU resources. This is particularly impactful because:
- Applications relying on the default safety controls (
LoopLimit=1000,LimitToString=1MB) believe they are protected against resource exhaustion from untrusted templates, but these controls have gaps. - A single malicious template expression is sufficient — no complex template logic is required.
- The
OutOfMemoryExceptionin vectors 1 and 2 typically terminates the entire process, not just the template evaluation.
Recommended Fix
Vector 1 — String multiplication: Check LimitToString before the loop
// src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs, before line 330
var leftText = context.ObjectToString(left);
if (context.LimitToString > 0 && (long)value * leftText.Length > context.LimitToString)
{
throw new ScriptRuntimeException(span,
$"String multiplication would exceed LimitToString ({context.LimitToString} characters)");
}
var builder = new StringBuilder();
for (int i = 0; i < value; i++)
Vector 2 — BigInteger shift: Cap the shift amount
// src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs, lines 710-711 and 783-784
case ScriptBinaryOperator.ShiftLeft:
if (right > 1048576) // Same as MaxBigInteger bit count
throw new ScriptRuntimeException(span,
$"Shift amount {right} exceeds maximum allowed (1048576)");
return (BigInteger)left << (int)right;
Vector 3 — Range + builtins: Add iteration counting to range iterators
Pass TemplateContext to RangeInclude/RangeExclude and enforce a limit:
private static IEnumerable<object> RangeInclude(TemplateContext context, BigInteger left, BigInteger right)
{
var maxRange = context.LoopLimit > 0 ? context.LoopLimit : int.MaxValue;
int count = 0;
if (left < right)
{
for (var i = left; i <= right; i++)
{
if (++count > maxRange)
throw new ScriptRuntimeException(context.CurrentNode.Span,
$"Range enumeration exceeds LoopLimit ({maxRange})");
yield return FitToBestInteger(i);
}
}
// ... same for descending branch
}
Alternatively, validate range size eagerly at creation time: if (BigInteger.Abs(right - left) > maxRange) throw ...
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| .NETNuGet | Scriban | all versions | 7.0.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Scriban. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update Scriban to 7.0.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xw6w-9jjh-p9cr is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xw6w-9jjh-p9cr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xw6w-9jjh-p9cr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xw6w-9jjh-p9cr in your dependencies?
O3 detects GHSA-xw6w-9jjh-p9cr across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.