GHSA-m2p3-hwv5-xpqw: Scriban: Denial of Service via Unbounded Cumulative Template Output Bypassing LimitToString
Summary
The LimitToString safety limit (default 1MB since commit b5ac4bf) can be bypassed to allocate approximately 1GB of memory by exploiting the per-call reset of _currentToStringLength in ObjectToString. Each template expression rendered through TemplateContext.Write(SourceSpan, object) triggers a separate top-level ObjectToString call that resets the length counter to zero, and the underlying StringBuilderOutput has no cumulative output size limit. An attacker who can supply a template can cause an out-of-memory condition in the host application.
Details
The root cause is in TemplateContext.Helpers.cs, in the ObjectToString method:
// src/Scriban/TemplateContext.Helpers.cs:89-111
public virtual string ObjectToString(object value, bool nested = false)
{
if (_objectToStringLevel == 0)
{
_currentToStringLength = 0; // <-- resets on every top-level call
}
try
{
_objectToStringLevel++;
// ...
var result = ObjectToStringImpl(value, nested);
if (LimitToString > 0 && _objectToStringLevel == 1 && result != null && result.Length >= LimitToString)
{
return result + "...";
}
return result;
}
// ...
}
Each time a template expression is rendered, TemplateContext.Write(SourceSpan, object) calls ObjectToString:
// src/Scriban/TemplateContext.cs:693-701
public virtual TemplateContext Write(SourceSpan span, object textAsObject)
{
if (textAsObject != null)
{
var text = ObjectToString(textAsObject); // fresh _currentToStringLength = 0
Write(text);
}
return this;
}
The StringBuilderOutput.Write method appends unconditionally with no size check:
// src/Scriban/Runtime/StringBuilderOutput.cs:47-50
public void Write(string text, int offset, int count)
{
Builder.Append(text, offset, count); // no cumulative limit
}
Execution flow:
1. Template creates a string of
Details
Original advisory: https://github.com/advisories/GHSA-m2p3-hwv5-xpqw
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10