Summary
Scriban's LoopLimit only applies to script loop statements, not to expensive iteration performed inside operators and builtins. An attacker can submit a single expression such as {{ 1..1000000 | array.size }} and force large amounts of CPU work even when LoopLimit is set to a very small value.
Details
The relevant code path is:
ScriptBlockStatement.Evaluate()callscontext.CheckAbort()once per statement insrc/Scriban/Syntax/Statements/ScriptBlockStatement.cslines 41–46.LoopLimitenforcement is tied to script loop execution viaTemplateContext.StepLoop(), not to internal helper iteration.array.sizeinsrc/Scriban/Functions/ArrayFunctions.cslines 596–609 callslist.Cast<object>().Count()for non-collection enumerables.1..Ncreates aScriptRangefromScriptBinaryExpression.RangeInclude()insrc/Scriban/Syntax/Expressions/ScriptBinaryExpression.cslines 745–748.ScriptRangethen yields every element one by one without going throughStepLoop()insrc/Scriban/Runtime/ScriptRange.cs.
This means a single statement can perform arbitrarily large iteration without being stopped by LoopLimit.
There is also a related memory-amplification path in string * int:
ScriptBinaryExpression.CalculateToString()appends in a plainforloop insrc/Scriban/Syntax/Expressions/ScriptBinaryExpression.cslines 301–334.
Proof of Concept
Setup
mkdir scriban-poc3
cd scriban-poc3
dotnet new console --framework net8.0
dotnet add package Scriban --version 6.6.0
Program.cs
using Scriban;
var template = Template.Parse("{{ 1..1000000 | array.size }}");
var context = new TemplateContext
{
LoopLimit = 1
};
Console.WriteLine(template.Render(context));
Run
dotnet run
Actual Output
1000000
Expected Behavior
A safety limit of LoopLimit = 1 should prevent a template from performing one million iterations worth of work.
Optional Stronger Variant (Memory Amplification)
using Scriban;
var template = Template.Parse("{{ 'A' * 200000000 }}");
var context = new TemplateContext
{
LoopLimit = 1
};
template.Render(context);
This variant demonstrates that LoopLimit also does not constrain large internal allocation work.
Impact
This is an uncontrolled resource consumption issue. Any application that accepts attacker-controlled templates and relies on LoopLimit as part of its safe-runtime configuration can still be forced into heavy CPU or memory work by a single expression.
The issue impacts:
- Template-as-a-service systems
- CMS or email rendering systems that accept user templates
- Any multi-tenant use of Scriban with untrusted template content
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
GHSA-C875-H985-HVRC has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-C875-H985-HVRC? GHSA-C875-H985-HVRC is a high-severity uncontrolled resource consumption vulnerability in scriban (nuget), affecting versions < 7.0.0. It is fixed in 7.0.0. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
- How severe is GHSA-C875-H985-HVRC? GHSA-C875-H985-HVRC has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of scriban are affected by GHSA-C875-H985-HVRC? scriban (nuget) versions < 7.0.0 is affected.
- Is there a fix for GHSA-C875-H985-HVRC? Yes. GHSA-C875-H985-HVRC is fixed in 7.0.0. Upgrade to this version or later.
- Is GHSA-C875-H985-HVRC exploitable, and should I be worried? Whether GHSA-C875-H985-HVRC is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-C875-H985-HVRC is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-C875-H985-HVRC? Upgrade
scribanto 7.0.0 or later.