Lucene search
K

3 matches found

Github Security Blog
Github Security Blog
added 2026/06/26 9:1 p.m.10 views

Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx

Summary The array multiplication operator array integer in Scriban allocates a result whose size is the product of the attacker-controlled integer and the array length, with no LoopLimit / LimitToString check and no overflow-safe arithmetic. A 40-byte template forces a multi-gigabyte allocation,...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/24 10:13 p.m.7 views

Scriban: Built-in operations bypass LoopLimit and delay cancellation, enabling Denial of Service

Summary Scriban's LoopLimit only applies to script loop statements, not to expensive iteration performed inside operators and builtins. An attacker can submit a single expression such as 1..1000000 | array.size and force large amounts of CPU work even when LoopLimit is set to a very small value...

6AI score
Exploits0References2Affected Software2
OSV
OSV
added 2026/03/24 10:13 p.m.4 views

GHSA-C875-H985-HVRC Scriban: Built-in operations bypass LoopLimit and delay cancellation, enabling Denial of Service

Summary Scriban's LoopLimit only applies to script loop statements, not to expensive iteration performed inside operators and builtins. An attacker can submit a single expression such as 1..1000000 | array.size and force large amounts of CPU work even when LoopLimit is set to a very small value...

7.5CVSS6AI score
Exploits0References2
Rows per page
Query Builder