dotnet · ScribanHeads-up
Scriban: Array multiplication operator missing LoopLimit check enables DoS via excessive allocation
The array multiplication operator (`array * integer`) in Scriban allocates a result array of size `intModifier * array.
What changed
The array multiplication operator (`array * integer`) in Scriban allocates a result array of size `intModifier * array.Count` without consulting `LoopLimit` or using overflow-safe arithmetic, allowing a small template to trigger multi-gigabyte allocations and denial of service.
Who it affects
Any application that renders attacker-controlled Scriban templates, including those using `object.eval` or `object.eval_template`.
What to do today
Apply the suggested remediation: add a `LoopLimit` check or overflow-safe pre-check in `ScriptArray.cs` for the Multiply case, and add a regression test.
The trail
Collected→
Audited→
Written→
Published