<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Csharp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/csharp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 17:38:12 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/csharp/feed.xml" rel="self" type="application/rss+xml"/><item><title>Scriban Template Engine Vulnerability: Arbitrary CLR Property Writes (Mass Assignment &amp; Setter Bypass)</title><link>https://feed.craftedsignal.io/briefs/2026-07-scriban-mass-assignment-cwe-915-cwe-284/</link><pubDate>Mon, 06 Jul 2026 17:38:12 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-scriban-mass-assignment-cwe-915-cwe-284/</guid><description>The Scriban templating engine, specifically its `TypedObjectAccessor`, allows template code to write to arbitrary CLR object properties, including those with `private set`, `internal set`, and `init` modifiers, effectively bypassing intended C# access restrictions. This mass assignment (CWE-915) and access-modifier bypass (CWE-284) vulnerability can lead to unauthorized modification of sensitive host object properties, such as changing `user.is_admin = true`, with changes persisting after template rendering, affecting Scriban versions up to and including 7.2.1, with the `init` bypass specifically impacting .NET 5+.</description><content:encoded><![CDATA[<p>A critical vulnerability exists in the Scriban templating engine (versions &lt;= 7.2.1) where its <code>TypedObjectAccessor</code> component permits template code to arbitrarily write to properties of Common Language Runtime (CLR) objects pushed into a <code>TemplateContext</code>. This flaw encompasses two primary weaknesses: mass assignment of public setters (CWE-915) and an access-modifier bypass (CWE-284), which allows templates to modify properties declared with <code>private set</code>, <code>internal set</code>, or <code>init</code> modifiers. The <code>TypedObjectAccessor</code> fails to perform <code>CanWrite</code> or setter-visibility checks, enabling reflective invocation of property setters. This means that a malicious template can alter sensitive data or application state, such as elevating privileges (e.g., setting <code>user.is_admin</code> to <code>true</code>) directly on the host application's live objects. The changes persist even after the template rendering completes. The <code>init</code> keyword bypass specifically affects applications running on .NET 5.0 and later versions, while <code>private set</code> and <code>internal set</code> bypasses affect all supported runtimes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Application Embeds Host Object:</strong> A host .NET application initializes a Scriban <code>TemplateContext</code> and pushes a sensitive CLR object (e.g., a <code>User</code> object) into it using a <code>ScriptObject</code> (e.g., <code>so[&quot;user&quot;] = currentUser; context.PushGlobal(so);</code>).</li>
<li><strong>Malicious Template Content:</strong> An attacker introduces or manipulates Scriban template code executed by the host application to include an assignment operation targeting a property of the embedded CLR object (e.g., <code>{{ user.IsAdmin = true }}</code>, <code>{{ order.TotalPrice = 0 }}</code>, or <code>{{ config.SensitiveSetting = 'malicious_value' }}</code>).</li>
<li><strong>Template Execution Initiated:</strong> The host application calls a method like <code>Render()</code> on the Scriban template, triggering its execution.</li>
<li><strong>Vulnerable Accessor Invocation:</strong> During template execution, when the malicious assignment is encountered, Scriban's internal dispatch mechanism calls <code>TypedObjectAccessor.TrySetValue</code> for the targeted property.</li>
<li><strong>Setter Visibility Bypass:</strong> The <code>TypedObjectAccessor.TrySetValue</code> method, specifically in lines 108–123 of <code>TypedObjectAccessor.cs</code>, proceeds without verifying the <code>CanWrite</code> status of the property or checking the visibility (e.g., <code>private set</code>, <code>internal set</code>) or <code>init</code> status of its setter.</li>
<li><strong>Reflection Property Modification:</strong> The vulnerability allows the <code>propertyAccessor.SetValue</code> method to be directly invoked via reflection, bypassing the standard C# access modifiers and developer intent for restricted properties.</li>
<li><strong>Persistent Property Alteration:</strong> The live CLR object instance within the host application has its property value permanently altered. These changes persist after the template rendering operation has completed.</li>
<li><strong>Unauthorized Data Modification/Privilege Escalation:</strong> The host application continues execution with the maliciously altered object property, leading to unintended consequences such as unauthorized privilege escalation, data corruption, or configuration changes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability in Scriban can lead to severe data integrity issues and potential privilege escalation within host applications. By exploiting this flaw, attackers can bypass critical C# access modifiers (<code>private set</code>, <code>internal set</code>, <code>init</code>) and modify any CLR object property exposed to the template engine. This could result in unauthorized administrative access if a <code>user.is_admin</code> property is toggled, financial manipulation if <code>order.total_price</code> is set to zero, or critical system configuration changes. The altered state persists in the live application object, meaning the impact is immediate and enduring until the application state is reset or the object is reloaded, compromising the application's security and reliability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Review all Scriban templates and the host application's interaction with <code>TemplateContext</code> to identify and restrict the types of CLR objects exposed.</li>
<li>As no patch currently exists, implement custom controls as described in the remediation &quot;Fix 2&quot; in the reference advisory: add a <code>MemberWriteFilter</code> on <code>TemplateContext</code> or use a <code>[ScriptMemberReadOnly]</code> attribute to explicitly control write access to properties.</li>
<li>Regularly monitor the Scriban project's GitHub repository or NuGet feed for a patched version (<code>nuget/Scriban</code>) and apply it immediately once available.</li>
<li>Review application code for <code>TypedObjectAccessor</code> usage and its implications, paying close attention to sensitive properties that are pushed into the <code>TemplateContext</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>templating-engine</category><category>mass-assignment</category><category>access-control-bypass</category><category>vulnerability</category><category>csharp</category><category>dotnet</category></item></channel></rss>