CVE-2021-46703

Vulnerability

The IsolatedRazorEngineService component of Antaris RazorEngine through version 4.5.1-alpha001 uses Code Access Security (CAS) to sandbox template execution. CAS has been deprecated and is no longer supported on modern .NET platforms, making the sandbox ineffective. An attacker who can control template content can bypass the sandbox and execute arbitrary .NET code [1][3].

Exploitation

An attacker needs the ability to supply or influence template content (e.g., through user input or external data). The attacker crafts a Razor template that leverages System.IO, RazorEngine.Compilation.RazorDynamicObject, and expression trees to compile and invoke arbitrary actions. For example, the template can write a file to disk by constructing a lambda expression and calling Compile() on a dynamic object [3]. No authentication or special privileges are required if the template input is exposed.

Impact

Successful exploitation allows the attacker to execute arbitrary .NET code within the application's security context. This can lead to full compromise of the host system, including file write, data exfiltration, or further lateral movement. The sandbox is completely bypassed [3].

Mitigation

No official fix exists; the product is end-of-life and no longer supported by the maintainer. A community-provided patch (attached to issue #585) disables dynamic support but is not an official release. Users are strongly advised to stop using IsolatedRazorEngineService for security purposes and redesign their architecture to avoid relying on CAS-based sandboxing [1][3].