GHSA-GRR9-747V-XVCP: GHSA-GRR9-747V-XVCP: Uncontrolled Recursion in Scriban Templates Leads to Denial of Service

GHSA-GRR9-747V-XVCP: Uncontrolled Recursion in Scriban Templates Leads to Denial of Service Vulnerability ID: GHSA-GRR9-747V-XVCP CVSS Score: 7.5 Published: 2026-03-19 Scriban, a .NET text templating engine, is vulnerable to a high-severity denial-of-service (DoS) flaw due to uncontrolled recursion during template parsing and object rendering. The lack of default depth boundaries allows maliciously crafted templates or objects with circular references to exhaust the call stack, causing an unrecoverable process crash. TL;DR A denial-of-service vulnerability exists in the Scriban .NET templating engine due to missing depth limits for nested expressions and object traversal. Attackers can trigger an uncatchable StackOverflowException, immediately terminating the host process. Mitigation requires updating the package or manually configuring recursion limits. ⚠️ Exploit Status: POC Technical Details Vulnerability Class : Uncontrolled Recursion (CWE-674) Secondary Class : Uncontrolled Resour