Scriban `object.to_json` Uncontrolled Recursion DoS
The Scriban library is vulnerable to a denial-of-service attack where a specially crafted template with a self-referencing object passed to the `object.to_json` function causes unbounded recursion, leading to a `StackOverflowException` that terminates the .NET process.
Scriban versions prior to 7.0.0 are susceptible to a denial-of-service vulnerability due to uncontrolled recursion in the object.to_json function. This function, used for recursive JSON serialization, lacks depth limits, circular reference detection, and stack overflow guards. A malicious Scriban template containing a self-referencing object, when processed by object.to_json, triggers unbounded recursion, leading to a StackOverflowException that terminates the hosting .NET process. This vulnerability poses a significant risk to applications embedding Scriban for user-provided templates, such as CMS platforms, email template engines, and static site generators. The vulnerability is easily exploitable, requiring only a single line of template code, and does not require authentication.
Attack Chain
- An attacker crafts a malicious Scriban template containing a self-referencing object. For example:
{{ x = {}; x.self = x; x | object.to_json }}. - The template is submitted to an application that uses Scriban for template processing.
- The Scriban engine parses the template and encounters the
object.to_jsonfunction call. - The
ToJson()function inObjectFunctions.cscalls the vulnerableWriteValue()function. WriteValue()attempts to serialize the self-referencing object without proper recursion checks.- Due to the self-reference,
WriteValue()enters an infinite recursion loop. - Each recursive call consumes stack space, eventually leading to a
StackOverflowException. - The
StackOverflowExceptionterminates the entire .NET process hosting the Scriban engine, resulting in a denial of service.
Impact
Successful exploitation of this vulnerability leads to a denial-of-service condition, crashing the entire .NET process hosting the Scriban engine. Any application embedding Scriban for user-provided templates is vulnerable. Because StackOverflowException cannot be caught by application code, the hosting application cannot implement try/catch to survive this. This allows an unauthenticated attacker to trivially crash services using Scriban.
Recommendation
- Upgrade to Scriban version 7.0.0 or later, which includes the fix for this vulnerability.
- If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the use of self-referencing objects in Scriban templates.
- Monitor application logs for signs of
StackOverflowExceptionerrors originating from Scriban template processing. - Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Detection coverage 2
Detect Scriban StackOverflowException in Application Logs
highDetects StackOverflowException errors in application logs that are likely caused by the Scriban `object.to_json` vulnerability.
Detect Process Terminations After Scriban Template Execution
mediumDetects unexpected process terminations following the execution of Scriban templates, which might indicate a StackOverflowException due to the `object.to_json` vulnerability.
Detection queries are available on the platform. Get full rules →