GHSA-c875-h985-hvrc: Scriban: Built-in operations bypass LoopLimit and delay cancellation, enabling Denial of Service

March 24, 2026

Scriban’s LoopLimit only applies to script loop statements, not to expensive iteration performed inside operators and builtins. An attacker can submit a single expression such as {{ 1..1000000 | array.size }} and force large amounts of CPU work even when LoopLimit is set to a very small value.

References

github.com/advisories/GHSA-c875-h985-hvrc
github.com/scriban/scriban
github.com/scriban/scriban/security/advisories/GHSA-c875-h985-hvrc

Code Behaviors & Features

Detect and mitigate GHSA-c875-h985-hvrc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →