CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-xw6w-9jjh-p9cr: Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation

mediumCVSS 6.5
Summary Scriban's expression evaluation contains three distinct code paths that allow an attacker who can supply a template to cause denial of service through unbounded memory allocation or CPU exhaustion. The existing safety controls (LimitToString, LoopLimit) do not protect these paths, giving applications a false sense of safety when evaluating untrusted templates. Details Vector 1: Unbounded string multiplication In ScriptBinaryExpression.cs, the CalculateToString method handles the string * int operator by looping without any upper bound: // src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs:319-334 var leftText = context.ObjectToString(left); var builder = new StringBuilder(); for (int i = 0; i < value; i++) { builder.Append(leftText); } return builder.ToString(); The LimitToString safety control (default 1MB) does not protect this code path. It only applies to ObjectToString output conversions in TemplateContext.Helpers.cs (lines 101-121), not to intermediate string values constructed inside CalculateToString. The LoopLimit also does not apply because this is a C# for loop, not a template-level loop — StepLoop() is never called here. Vector 2: Unbounded BigInteger shift left The CalculateLongWithInt and CalculateBigIntegerNoFit methods handle ShiftLeft without any bound on the shift amount: // src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs:710-711 case ScriptBinaryOperator.ShiftLeft: return (BigInteger)left << (int)right; // src/Scriban/Syntax/Expressions/ScriptBinaryExpression.cs:783-784 case ScriptBinaryOperator.ShiftLeft: return left << (int)right; In contrast, the Power operator at lines 722 and 795 uses BigInteger.ModPow(left, right, MaxBigInteger) to cap results. The MaxBigInteger constant (BigInteger.One << 1024 * 1024, defined at line 690) already exists but is never applied to shift operations. Vector 3: LoopLi

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.5
Published
2026-03-24
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-xw6w-9jjh-p9cr

More from GitHub Security Advisories