logo

Database

Improper resource allocation In scriban

Description

Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix

Summary

StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix (GHSA-wgh7-7m3c-fx25)

Details

The recent fix for GHSA-wgh7-7m3c-fx25 (uncontrolled recursion in parser) added ExpressionDepthLimit defaulting to 250. However, deeply nested array initializers ([[[[...) recurse through ParseArrayInitializerParseExpressionParseArrayInitializer, which is a different recursion path not covered by the expression depth counter.

This causes a StackOverflowException on current main (commit b5ac4bf - "Add limits for default safety").

PoC

using Scriban;

// ExpressionDepthLimit (default 250) does NOT prevent this crash
string nested = "{{ " + new string('[', 5000) + "1" + new string(']', 5000) + " }}";
Template.Parse(nested); // StackOverflowException - process terminates

Impact

Same as GHSA-wgh7-7m3c-fx25: High severity. StackOverflowException cannot be caught with try/catch in .NET - the process terminates immediately. Any application calling Template.Parse with untrusted input is vulnerable, even with the new default ExpressionDepthLimit enabled.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-p6q4-fgr8-vx4p2. GHSA-wgh7-7m3c-fx253. GCVE-GHSA-p6q4-fgr8-vx4p

References

1. https://github.com/scriban/scriban/security/advisories/GHSA-p6q4-fgr8-vx4p

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.