GHSA-5wr9-m6jw-xx44: Scriban: Sandbox escape due to TypedObjectAccessorcache bypassing MemberFilter after TemplateContext reuse
Summary
TemplateContext caches type accessors by Type only, but those accessors are built using the current MemberFilter and MemberRenamer. When a TemplateContext is reused and the filter is tightened for a later render, Scriban still reuses the old accessor and continues exposing members that should now be hidden.
Details
The relevant code path is:
- TemplateContext.GetMemberAccessor() caches accessors in _memberAccessors by Type in src/Scriban/TemplateContext.cs lines 850–863.
- For plain .NET objects, GetMemberAccessorImpl() creates a new TypedObjectAccessor(type, _keyComparer, MemberFilter, MemberRenamer) in src/Scriban/TemplateContext.cs lines 909–939.
- TypedObjectAccessor stores the current filter and precomputes the exposed member set in its constructor and PrepareMembers() in src/Scriban/Runtime/Accessors/TypedObjectAccessor.cs lines 33–40 and 119–179.
- Member access later goes through ScriptMemberExpression.GetValue() in src/Scriban/Syntax/Expressions/ScriptMemberExpression.cs lines 67–95, which uses the cached accessor.
- TemplateContext.Reset() does not clear _memberAccessors in src/Scriban/TemplateContext.cs lines 877–902.
As a result, once a permissive accessor has been created for a given type, changing TemplateContext.MemberFilter later does not take effect for that type on the same reused context.
This is especially relevant because the Scriban docs explicitly recommend TemplateContext.MemberFilter for indirect .NET object exposure.
Proof of Concept
Setup
mkdir scriban-poc2
cd scriban-poc2
dotnet new console --framework net8.0
dotnet add package Scriban --version 6.6.0
Program.cs
using System.Reflection;
using Scriban;
using Scriban.Runtime;
var template = Template.Parse("{{ model.secret }}");
var context = new TemplateContext
{
EnableRelaxedMemberAccess = false
};
var globals = new ScriptObject();
globals["model"] = new SensitiveModel();
Details
Original advisory: https://github.com/advisories/GHSA-5wr9-m6jw-xx44
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10