GHSA-xcx6-vp38-8hr5: Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException

March 24, 2026

The object.to_json builtin function in Scriban performs recursive JSON serialization via an internal WriteValue() static local function that has no depth limit, no circular reference detection, and no stack overflow guard. A Scriban template containing a self-referencing object passed to object.to_json triggers unbounded recursion, causing a StackOverflowException that terminates the hosting .NET process. This is a fatal, unrecoverable crash — StackOverflowException cannot be caught by user code in .NET.

References

github.com/advisories/GHSA-xcx6-vp38-8hr5
github.com/scriban/scriban
github.com/scriban/scriban/security/advisories/GHSA-xcx6-vp38-8hr5

Code Behaviors & Features

Detect and mitigate GHSA-xcx6-vp38-8hr5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →