{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/templating-engine/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Scriban \u003c= 7.2.1"],"_cs_severities":["high"],"_cs_tags":["templating-engine","mass-assignment","access-control-bypass","vulnerability","csharp","dotnet"],"_cs_type":"advisory","_cs_vendors":["Scriban"],"content_html":"\u003cp\u003eA critical vulnerability exists in the Scriban templating engine (versions \u0026lt;= 7.2.1) where its \u003ccode\u003eTypedObjectAccessor\u003c/code\u003e component permits template code to arbitrarily write to properties of Common Language Runtime (CLR) objects pushed into a \u003ccode\u003eTemplateContext\u003c/code\u003e. This flaw encompasses two primary weaknesses: mass assignment of public setters (CWE-915) and an access-modifier bypass (CWE-284), which allows templates to modify properties declared with \u003ccode\u003eprivate set\u003c/code\u003e, \u003ccode\u003einternal set\u003c/code\u003e, or \u003ccode\u003einit\u003c/code\u003e modifiers. The \u003ccode\u003eTypedObjectAccessor\u003c/code\u003e fails to perform \u003ccode\u003eCanWrite\u003c/code\u003e or setter-visibility checks, enabling reflective invocation of property setters. This means that a malicious template can alter sensitive data or application state, such as elevating privileges (e.g., setting \u003ccode\u003euser.is_admin\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e) directly on the host application's live objects. The changes persist even after the template rendering completes. The \u003ccode\u003einit\u003c/code\u003e keyword bypass specifically affects applications running on .NET 5.0 and later versions, while \u003ccode\u003eprivate set\u003c/code\u003e and \u003ccode\u003einternal set\u003c/code\u003e bypasses affect all supported runtimes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Embeds Host Object:\u003c/strong\u003e A host .NET application initializes a Scriban \u003ccode\u003eTemplateContext\u003c/code\u003e and pushes a sensitive CLR object (e.g., a \u003ccode\u003eUser\u003c/code\u003e object) into it using a \u003ccode\u003eScriptObject\u003c/code\u003e (e.g., \u003ccode\u003eso[\u0026quot;user\u0026quot;] = currentUser; context.PushGlobal(so);\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Template Content:\u003c/strong\u003e An attacker introduces or manipulates Scriban template code executed by the host application to include an assignment operation targeting a property of the embedded CLR object (e.g., \u003ccode\u003e{{ user.IsAdmin = true }}\u003c/code\u003e, \u003ccode\u003e{{ order.TotalPrice = 0 }}\u003c/code\u003e, or \u003ccode\u003e{{ config.SensitiveSetting = 'malicious_value' }}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTemplate Execution Initiated:\u003c/strong\u003e The host application calls a method like \u003ccode\u003eRender()\u003c/code\u003e on the Scriban template, triggering its execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Accessor Invocation:\u003c/strong\u003e During template execution, when the malicious assignment is encountered, Scriban's internal dispatch mechanism calls \u003ccode\u003eTypedObjectAccessor.TrySetValue\u003c/code\u003e for the targeted property.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSetter Visibility Bypass:\u003c/strong\u003e The \u003ccode\u003eTypedObjectAccessor.TrySetValue\u003c/code\u003e method, specifically in lines 108–123 of \u003ccode\u003eTypedObjectAccessor.cs\u003c/code\u003e, proceeds without verifying the \u003ccode\u003eCanWrite\u003c/code\u003e status of the property or checking the visibility (e.g., \u003ccode\u003eprivate set\u003c/code\u003e, \u003ccode\u003einternal set\u003c/code\u003e) or \u003ccode\u003einit\u003c/code\u003e status of its setter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReflection Property Modification:\u003c/strong\u003e The vulnerability allows the \u003ccode\u003epropertyAccessor.SetValue\u003c/code\u003e method to be directly invoked via reflection, bypassing the standard C# access modifiers and developer intent for restricted properties.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Property Alteration:\u003c/strong\u003e The live CLR object instance within the host application has its property value permanently altered. These changes persist after the template rendering operation has completed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Data Modification/Privilege Escalation:\u003c/strong\u003e The host application continues execution with the maliciously altered object property, leading to unintended consequences such as unauthorized privilege escalation, data corruption, or configuration changes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in Scriban can lead to severe data integrity issues and potential privilege escalation within host applications. By exploiting this flaw, attackers can bypass critical C# access modifiers (\u003ccode\u003eprivate set\u003c/code\u003e, \u003ccode\u003einternal set\u003c/code\u003e, \u003ccode\u003einit\u003c/code\u003e) and modify any CLR object property exposed to the template engine. This could result in unauthorized administrative access if a \u003ccode\u003euser.is_admin\u003c/code\u003e property is toggled, financial manipulation if \u003ccode\u003eorder.total_price\u003c/code\u003e is set to zero, or critical system configuration changes. The altered state persists in the live application object, meaning the impact is immediate and enduring until the application state is reset or the object is reloaded, compromising the application's security and reliability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview all Scriban templates and the host application's interaction with \u003ccode\u003eTemplateContext\u003c/code\u003e to identify and restrict the types of CLR objects exposed.\u003c/li\u003e\n\u003cli\u003eAs no patch currently exists, implement custom controls as described in the remediation \u0026quot;Fix 2\u0026quot; in the reference advisory: add a \u003ccode\u003eMemberWriteFilter\u003c/code\u003e on \u003ccode\u003eTemplateContext\u003c/code\u003e or use a \u003ccode\u003e[ScriptMemberReadOnly]\u003c/code\u003e attribute to explicitly control write access to properties.\u003c/li\u003e\n\u003cli\u003eRegularly monitor the Scriban project's GitHub repository or NuGet feed for a patched version (\u003ccode\u003enuget/Scriban\u003c/code\u003e) and apply it immediately once available.\u003c/li\u003e\n\u003cli\u003eReview application code for \u003ccode\u003eTypedObjectAccessor\u003c/code\u003e usage and its implications, paying close attention to sensitive properties that are pushed into the \u003ccode\u003eTemplateContext\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:38:12Z","date_published":"2026-07-06T17:38:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-scriban-mass-assignment-cwe-915-cwe-284/","summary":"The Scriban templating engine, specifically its `TypedObjectAccessor`, allows template code to write to arbitrary CLR object properties, including those with `private set`, `internal set`, and `init` modifiers, effectively bypassing intended C# access restrictions. This mass assignment (CWE-915) and access-modifier bypass (CWE-284) vulnerability can lead to unauthorized modification of sensitive host object properties, such as changing `user.is_admin = true`, with changes persisting after template rendering, affecting Scriban versions up to and including 7.2.1, with the `init` bypass specifically impacting .NET 5+.","title":"Scriban Template Engine Vulnerability: Arbitrary CLR Property Writes (Mass Assignment \u0026 Setter Bypass)","url":"https://feed.craftedsignal.io/briefs/2026-07-scriban-mass-assignment-cwe-915-cwe-284/"}],"language":"en","title":"CraftedSignal Threat Feed - Templating-Engine","version":"https://jsonfeed.org/version/1.1"}