Summary
StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix (GHSA-wgh7-7m3c-fx25)
Details
The recent fix for GHSA-wgh7-7m3c-fx25 (uncontrolled recursion in parser) added ExpressionDepthLimit defaulting to 250. However, deeply nested array initializers ([[[[...) recurse through ParseArrayInitializer → ParseExpression → ParseArrayInitializer, which is a different recursion path not covered by the expression depth counter.
This causes a StackOverflowException on current main (commit b5ac4bf - "Add limits for default safety").
PoC
using Scriban;
// ExpressionDepthLimit (default 250) does NOT prevent this crash
string nested = "{{ " + new string('[', 5000) + "1" + new string(']', 5000) + " }}";
Template.Parse(nested); // StackOverflowException - process terminates
Impact
Same as GHSA-wgh7-7m3c-fx25: High severity. StackOverflowException cannot be caught with try/catch in .NET - the process terminates immediately. Any application calling Template.Parse with untrusted input is vulnerable, even with the new default ExpressionDepthLimit enabled.
References
pawlos Reporter
Summary
StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix (GHSA-wgh7-7m3c-fx25)
Details
The recent fix for GHSA-wgh7-7m3c-fx25 (uncontrolled recursion in parser) added
ExpressionDepthLimitdefaulting to 250. However, deeply nested array initializers ([[[[...) recurse throughParseArrayInitializer→ParseExpression→ParseArrayInitializer, which is a different recursion path not covered by the expression depth counter.This causes a
StackOverflowExceptionon current main (commit b5ac4bf - "Add limits for default safety").PoC
Impact
Same as GHSA-wgh7-7m3c-fx25: High severity. StackOverflowException cannot be caught with try/catch in .NET - the process terminates immediately. Any application calling Template.Parse with untrusted input is vulnerable, even with the new default ExpressionDepthLimit enabled.
References