Scriban’s “Leaky” Cache: A 9.1 CVSS Sandbox Escape Hits 40 Million .NET Installs
Ddos 
A critical security flaw has been identified in Scriban, the popular high-performance scripting language and engine for .NET. With over 40.5 million downloads, Scriban is a cornerstone for text templating and Liquid template parsing in the .NET ecosystem. The vulnerability, carrying a severe CVSS score of 9.1, allows for a sandbox escape through a sophisticated cache bypass mechanism.
The vulnerability centers on how the TemplateContext manages object accessors. In Scriban, these accessors are responsible for determining which members (properties or fields) of a .NET object are exposed during a render, governed by a MemberFilter.
The issue arises because TemplateContext caches these accessors by Type only. While the accessors are initially built using the active MemberFilter and MemberRenamer, they are not updated if the filter is changed later on a reused context.
According to the technical details:
“When a TemplateContext is reused and the filter is tightened for a later render, Scriban still reuses the old accessor and continues exposing members that should now be hidden.”
The vulnerability stems from a specific code path where TemplateContext.GetMemberAccessor() stores accessors in an internal cache.
A TypedObjectAccessor precomputes the allowed member set in its constructor based on the current filter. Crucially, the TemplateContext.Reset() method fails to clear these cached member accessors. Once a permissive accessor is created for a specific object type, any subsequent attempt to tighten the MemberFilter is ignored. The engine continues to use the old, “leaky” accessor stored in the cache.
This flaw represents a significant protection-mechanism bypass. It is particularly dangerous for applications that rely on MemberFilter as a primary pillar of their sandbox or object-exposure policy—a practice explicitly recommended in Scriban’s own documentation.
Potential risks include:
- Unauthorized Data Access: Hidden or sensitive properties may be exposed to unauthorized users.
- Unauthorized Writes: If a filtered member has a setter, an attacker could potentially modify data they shouldn’t have access to.
- Multi-tenant Risks: In environments where contexts are pooled, a security policy bypass could occur across different requests, users, or even tenants.
All versions of Scriban up to and including 6.6.0 are affected by this vulnerability. Security researchers and the maintainers urge developers to update to Scriban version 7.0.0, which contains the necessary patches to resolve the caching logic error.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
