GHSA-xcx6-vp38-8hr5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xcx6-vp38-8hr5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xcx6-vp38-8hr5/GHSA-xcx6-vp38-8hr5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xcx6-vp38-8hr5
- Published
- 2026-03-24T22:15:13Z
- Modified
- 2026-03-24T22:39:49.214335Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException
- Details
-
Summary
The
object.to_jsonbuiltin function in Scriban performs recursive JSON serialization via an internalWriteValue()static local function that has no depth limit, no circular reference detection, and no stack overflow guard. A Scriban template containing a self-referencing object passed toobject.to_jsontriggers unbounded recursion, causing aStackOverflowExceptionthat terminates the hosting .NET process. This is a fatal, unrecoverable crash —StackOverflowExceptioncannot be caught by user code in .NET.Details
The vulnerable code is the
WriteValue()static local function atsrc/Scriban/Functions/ObjectFunctions.cs:494:static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value) { var type = value?.GetType() ?? typeof(object); if (value is null || value is string || value is bool || type.IsPrimitiveOrDecimal() || value is IFormattable) { JsonSerializer.Serialize(writer, value, type); } else if (value is IList || type.IsArray) { writer.WriteStartArray(); foreach (var x in context.ToList(context.CurrentSpan, value)) { WriteValue(context, writer, x); // recursive, no depth check } writer.WriteEndArray(); } else { writer.WriteStartObject(); var accessor = context.GetMemberAccessor(value); foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value)) { if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue)) { writer.WritePropertyName(member); WriteValue(context, writer, memberValue); // recursive, no depth check } } writer.WriteEndObject(); } }This function has none of the safety mechanisms present in other recursive paths:
ObjectToString()atTemplateContext.Helpers.cs:98checksObjectRecursionLimit(default 20)EnterRecursive()atTemplateContext.cs:957callsRuntimeHelpers.EnsureSufficientExecutionStack()CheckAbort()atTemplateContext.cs:464also callsEnsureSufficientExecutionStack()
The
WriteValue()function bypasses all of these because it is a static local function that only takes theTemplateContextfor member access — it never callsEnterRecursive(), never checksObjectRecursionLimit, and never callsEnsureSufficientExecutionStack().Execution flow:
- Template creates a ScriptObject:
{{ x = {} }} - Sets a self-reference:
x.self = x— stores a reference inScriptObject.Storedictionary - Pipes to
object.to_json:x | object.to_json→ callsToJson()at line 477 ToJson()callsWriteValue(context, writer, value)at line 488WriteValueenters theelsebranch (line 515), gets members via accessor, finds "self"TryGetValuereturnsxitself,WriteValuerecurses with the same object — infinite loopStackOverflowExceptionis thrown — fatal, cannot be caught, process terminates
PoC
{{ x = {}; x.self = x; x | object.to_json }}In a hosting application:
using Scriban; // This will crash the entire process with StackOverflowException var template = Template.Parse("{{ x = {}; x.self = x; x | object.to_json }}"); var result = template.Render(); // FATAL: process terminates hereEven without circular references, deeply nested objects can exhaust the stack since no depth limit is enforced:
{{ a = {} b = {inner: a} c = {inner: b} d = {inner: c} # ... continue nesting ... result = deepest | object.to_json }}Impact
- Process crash DoS: Any application embedding Scriban for user-provided templates (CMS platforms, email template engines, report generators, static site generators) can be crashed by a single malicious template. The crash is unrecoverable —
StackOverflowExceptionterminates the .NET process. - No try/catch protection possible: Unlike most exceptions,
StackOverflowExceptioncannot be caught by application code. The hosting application cannot wraptemplate.Render()in a try/catch to survive this. - No authentication required:
object.to_jsonis a default builtin function (registered inBuiltinFunctions.cs), available in all Scriban templates unless explicitly removed. - Trivial to exploit: The PoC is a single line of template code.
Recommended Fix
Add a depth counter parameter to
WriteValue()and check it againstObjectRecursionLimit, consistent with howObjectToStringis protected. Also addEnsureSufficientExecutionStack()as a safety net:static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value, int depth = 0) { if (context.ObjectRecursionLimit != 0 && depth > context.ObjectRecursionLimit) { throw new ScriptRuntimeException(context.CurrentSpan, $"Exceeding object recursion limit `{context.ObjectRecursionLimit}` in object.to_json"); } try { RuntimeHelpers.EnsureSufficientExecutionStack(); } catch (InsufficientExecutionStackException) { throw new ScriptRuntimeException(context.CurrentSpan, "Exceeding recursive depth limit in object.to_json, near to stack overflow"); } var type = value?.GetType() ?? typeof(object); if (value is null || value is string || value is bool || type.IsPrimitiveOrDecimal() || value is IFormattable) { JsonSerializer.Serialize(writer, value, type); } else if (value is IList || type.IsArray) { writer.WriteStartArray(); foreach (var x in context.ToList(context.CurrentSpan, value)) { WriteValue(context, writer, x, depth + 1); } writer.WriteEndArray(); } else { writer.WriteStartObject(); var accessor = context.GetMemberAccessor(value); foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value)) { if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue)) { writer.WritePropertyName(member); WriteValue(context, writer, memberValue, depth + 1); } } writer.WriteEndObject(); } } - Database specific
{ "cwe_ids": [ "CWE-674" ], "severity": "HIGH", "github_reviewed": true, "nvd_published_at": null, "github_reviewed_at": "2026-03-24T22:15:13Z" }- References
Affected packages
NuGet / Scriban
Package
- Name
- Scriban
- View open source insights on deps.dev
- Purl
- pkg:nuget/Scriban
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.0.0
Affected versions
0.*
0.1.0
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1-pre028
0.3.1
0.4.0
0.5.0
0.6.0
0.7.0
0.9.0-pre100
0.9.0
0.9.1
0.10.0
0.11.0
0.12.0
0.12.1
0.13.0
0.14.0
0.15.0
0.16.0
1.*
1.0.0-beta-001
1.0.0-beta-002
1.0.0-beta-003
1.0.0-beta-004
1.0.0-beta-005
1.0.0-beta-006
1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
2.*
2.0.0-alpha-001
2.0.0-alpha-002
2.0.0-alpha-003
2.0.0-alpha-004
2.0.0-alpha-005
2.0.0-alpha-006
2.0.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0
3.2.0
3.2.1
3.2.2
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0
3.4.1
3.4.2
3.5.0
3.6.0
3.7.0
3.8.0
3.8.1
3.8.2
3.9.0
4.*
4.0.0
4.0.1
4.0.2
4.1.0
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.5.0
5.5.1
5.5.2
5.6.0
5.7.0
5.8.0
5.9.0
5.9.1
5.10.0
5.11.0
5.12.0
5.12.1
6.*
6.0.0
6.1.0
6.2.0
6.2.1
6.3.0
6.4.0
6.5.0
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.6.0