GHSA-XCX6-VP38-8HR5

GHSA-XCX6-VP38-8HR5 is a high-severity security vulnerability in Scriban (nuget), affecting versions < 7.0.0. It is fixed in 7.0.0.

Summary

The object.to_json builtin function in Scriban performs recursive JSON serialization via an internal WriteValue() static local function that has no depth limit, no circular reference detection, and no stack overflow guard. A Scriban template containing a self-referencing object passed to object.to_json triggers unbounded recursion, causing a StackOverflowException that terminates the hosting .NET process. This is a fatal, unrecoverable crash, StackOverflowException cannot be caught by user code in .NET.

Details

The vulnerable code is the WriteValue() static local function at src/Scriban/Functions/ObjectFunctions.cs:494:

static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value)
{
    var type = value?.GetType() ?? typeof(object);
    if (value is null || value is string || value is bool ||
        type.IsPrimitiveOrDecimal() || value is IFormattable)
    {
        JsonSerializer.Serialize(writer, value, type);
    }
    else if (value is IList || type.IsArray) {
        writer.WriteStartArray();
        foreach (var x in context.ToList(context.CurrentSpan, value))
        {
            WriteValue(context, writer, x);  // recursive, no depth check
        }
        writer.WriteEndArray();
    }
    else {
        writer.WriteStartObject();
        var accessor = context.GetMemberAccessor(value);
        foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value))
        {
            if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue))
            {
                writer.WritePropertyName(member);
                WriteValue(context, writer, memberValue);  // recursive, no depth check
            }
        }
        writer.WriteEndObject();
    }
}

This function has none of the safety mechanisms present in other recursive paths:

  • ObjectToString() at TemplateContext.Helpers.cs:98 checks ObjectRecursionLimit (default 20)
  • EnterRecursive() at TemplateContext.cs:957 calls RuntimeHelpers.EnsureSufficientExecutionStack()
  • CheckAbort() at TemplateContext.cs:464 also calls EnsureSufficientExecutionStack()

The WriteValue() function bypasses all of these because it is a static local function that only takes the TemplateContext for member access, it never calls EnterRecursive(), never checks ObjectRecursionLimit, and never calls EnsureSufficientExecutionStack().

Execution flow:

  1. Template creates a ScriptObject: {{ x = {} }}
  2. Sets a self-reference: x.self = x, stores a reference in ScriptObject.Store dictionary
  3. Pipes to object.to_json: x | object.to_json → calls ToJson() at line 477
  4. ToJson() calls WriteValue(context, writer, value) at line 488
  5. WriteValue enters the else branch (line 515), gets members via accessor, finds "self"
  6. TryGetValue returns x itself, WriteValue recurses with the same object, infinite loop
  7. StackOverflowException is thrown, fatal, cannot be caught, process terminates

PoC

{{ x = {}; x.self = x; x | object.to_json }}

In a hosting application:

using Scriban;

// This will crash the entire process with StackOverflowException
var template = Template.Parse("{{ x = {}; x.self = x; x | object.to_json }}");
var result = template.Render(); // FATAL: process terminates here

Even without circular references, deeply nested objects can exhaust the stack since no depth limit is enforced:

{{ a = {}
   b = {inner: a}
   c = {inner: b}
   d = {inner: c}
   # ... continue nesting ...
   result = deepest | object.to_json }}

Impact

  • Process crash DoS: Any application embedding Scriban for user-provided templates (CMS platforms, email template engines, report generators, static site generators) can be crashed by a single malicious template. The crash is unrecoverable, StackOverflowException terminates the .NET process.
  • No try/catch protection possible: Unlike most exceptions, StackOverflowException cannot be caught by application code. The hosting application cannot wrap template.Render() in a try/catch to survive this.
  • No authentication required: object.to_json is a default builtin function (registered in BuiltinFunctions.cs), available in all Scriban templates unless explicitly removed.
  • Trivial to exploit: The PoC is a single line of template code.

GHSA-XCX6-VP38-8HR5 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.0); upgrading removes the vulnerable code path.

Affected versions

Scriban (< 7.0.0)

Security releases

Scriban → 7.0.0 (nuget)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add a depth counter parameter to WriteValue() and check it against ObjectRecursionLimit, consistent with how ObjectToString is protected. Also add EnsureSufficientExecutionStack() as a safety net:

static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value, int depth = 0)
{
    if (context.ObjectRecursionLimit != 0 && depth > context.ObjectRecursionLimit)
    {
        throw new ScriptRuntimeException(context.CurrentSpan,
            $"Exceeding object recursion limit `{context.ObjectRecursionLimit}` in object.to_json");
    }

    try
    {
        RuntimeHelpers.EnsureSufficientExecutionStack();
    }
    catch (InsufficientExecutionStackException)
    {
        throw new ScriptRuntimeException(context.CurrentSpan,
            "Exceeding recursive depth limit in object.to_json, near to stack overflow");
    }

    var type = value?.GetType() ?? typeof(object);
    if (value is null || value is string || value is bool ||
        type.IsPrimitiveOrDecimal() || value is IFormattable)
    {
        JsonSerializer.Serialize(writer, value, type);
    }
    else if (value is IList || type.IsArray) {
        writer.WriteStartArray();
        foreach (var x in context.ToList(context.CurrentSpan, value))
        {
            WriteValue(context, writer, x, depth + 1);
        }
        writer.WriteEndArray();
    }
    else {
        writer.WriteStartObject();
        var accessor = context.GetMemberAccessor(value);
        foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value))
        {
            if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue))
            {
                writer.WritePropertyName(member);
                WriteValue(context, writer, memberValue, depth + 1);
            }
        }
        writer.WriteEndObject();
    }
}

Frequently Asked Questions

  1. What is GHSA-XCX6-VP38-8HR5? GHSA-XCX6-VP38-8HR5 is a high-severity security vulnerability in Scriban (nuget), affecting versions < 7.0.0. It is fixed in 7.0.0.
  2. How severe is GHSA-XCX6-VP38-8HR5? GHSA-XCX6-VP38-8HR5 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of Scriban are affected by GHSA-XCX6-VP38-8HR5? Scriban (nuget) versions < 7.0.0 is affected.
  4. Is there a fix for GHSA-XCX6-VP38-8HR5? Yes. GHSA-XCX6-VP38-8HR5 is fixed in 7.0.0. Upgrade to this version or later.
  5. Is GHSA-XCX6-VP38-8HR5 exploitable, and should I be worried? Whether GHSA-XCX6-VP38-8HR5 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-XCX6-VP38-8HR5 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-XCX6-VP38-8HR5? Upgrade Scriban to 7.0.0 or later.

Other vulnerabilities in Scriban

Stop the waste.
Protect your environment with Kodem.