GHSA-p6q4-fgr8-vx4p
Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix
Details
### Summary StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix (GHSA-wgh7-7m3c-fx25)
### Details The recent fix for GHSA-wgh7-7m3c-fx25 (uncontrolled recursion in parser) added `ExpressionDepthLimit` defaulting to 250. However, deeply nested **array initializers** (`[[[[...`) recurse through `ParseArrayInitializer` → `ParseExpression` → `ParseArrayInitializer`, which is a **different recursion path** not covered by the expression depth counter.
This causes a `StackOverflowException` on current main (commit b5ac4bf - "Add limits for default safety").
### PoC ``` using Scriban;
// ExpressionDepthLimit (default 250) does NOT prevent this crash string nested = "{{ " + new string('[', 5000) + "1" + new string(']', 5000) + " }}"; Template.Parse(nested); // StackOverflowException - process terminates ```
### Impact Same as GHSA-wgh7-7m3c-fx25: High severity. StackOverflowException cannot be caught with try/catch in .NET - the process terminates immediately. Any application calling Template.Parse with untrusted input is vulnerable, even with the new default ExpressionDepthLimit enabled.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 7.0.0 dotnet add package Scriban.Signed --version 7.0.0