Scriban TemplateContext Reset Authorization Bypass Vulnerability
Scriban versions before 7.0.0 have an authorization bypass vulnerability due to a stale include cache surviving TemplateContext.Reset(), potentially serving previously authorized content to subsequent renders in applications reusing TemplateContext objects with request-dependent ITemplateLoaders.
Scriban, a .NET templating engine, is vulnerable to an authorization bypass issue affecting applications that reuse TemplateContext objects. Specifically, versions prior to 7.0.0 do not properly clear the CachedTemplates collection when TemplateContext.Reset() is called. This can lead to a situation where an ITemplateLoader that resolves content based on request-specific state (e.g., user identity, tenant context) serves a stale, previously authorized template to subsequent renders, even after the context is reset. This bypass occurs because the include function retrieves templates from the cache without re-evaluating authorization, potentially leaking sensitive data across requests or tenants. This vulnerability could be exploited in multi-tenant or permission-sensitive applications using Scriban templates.
Attack Chain
- An application initializes a
TemplateContextobject and configures anITemplateLoaderthat resolves template content based on the current request or user context. - A user (e.g., an administrator) makes a request that causes the
ITemplateLoaderto load a privileged template (e.g., "admin_profile.scriban") into theTemplateContext. - The
includefunction is used within the main template to load the privileged template. The compiled template is then cached inCachedTemplates. - The application calls
TemplateContext.Reset()in an attempt to clear the context for reuse. However,CachedTemplatesis not cleared during this reset operation. - A different user (e.g., a regular user) makes a subsequent request that reuses the same
TemplateContextobject. - The
includefunction is called again, attempting to load a template. - The
TemplateContextretrieves the previously cached, privileged template fromCachedTemplateswithout callingITemplateLoader.Load()again, bypassing the intended authorization check. - The regular user is served the content of the administrator's template, leading to information disclosure.
Impact
Successful exploitation of this vulnerability allows unauthorized access to sensitive information or functionality in applications using Scriban templating. The primary impact is cross-render data isolation issues, where previously authorized template content can be leaked across different requests, users, or tenants. This can lead to the exposure of sensitive data, privilege escalation, or other security breaches, depending on the content of the leaked templates. Applications that pool or reuse TemplateContext objects, call Reset() between requests, use include for template inclusion, and resolve included content based on request-specific state are vulnerable.
Recommendation
- Upgrade to Scriban version 7.0.0 or later, where this vulnerability is resolved.
- If upgrading is not immediately feasible, avoid reusing
TemplateContextobjects across different requests or user sessions. Create a newTemplateContextfor each request. - Review and audit existing Scriban templates and
ITemplateLoaderimplementations to ensure that sensitive data is not inadvertently exposed through template inclusion. - Implement additional authorization checks within the templates themselves to verify user permissions before displaying sensitive data, even if the
TemplateLoaderis compromised. - Monitor the usage of
TemplateContext.Reset()in your application and ensure that it is used correctly and does not lead to unintended data leakage.
Detection coverage 2
Detect Scriban TemplateContext Reuse with Request-Dependent Loader
lowDetects potential Scriban template authorization bypass by identifying code patterns where TemplateContext is reused after Reset() with a request-dependent ITemplateLoader.
Detect Scriban Template Include Function Usage
infoDetects use of the Scriban 'include' function which is necessary for this authorization bypass.
Detection queries are available on the platform. Get full rules →