GHSA-xw6w-9jjh-p9cr: Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation

March 24, 2026

Scriban’s expression evaluation contains three distinct code paths that allow an attacker who can supply a template to cause denial of service through unbounded memory allocation or CPU exhaustion. The existing safety controls (LimitToString, LoopLimit) do not protect these paths, giving applications a false sense of safety when evaluating untrusted templates.

References

github.com/advisories/GHSA-xw6w-9jjh-p9cr
github.com/scriban/scriban
github.com/scriban/scriban/security/advisories/GHSA-xw6w-9jjh-p9cr

Code Behaviors & Features

Detect and mitigate GHSA-xw6w-9jjh-p9cr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →