CVE-2025-29786 (GCVE-0-2025-29786)

Vulnerability from cvelistv5 – Published: 2025-03-17 13:15 – Updated: 2026-01-23 16:29
VLAI
Title
Memory Exhaustion in Expr Parser with Unrestricted Input
Summary
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
Vendor Product Version
expr-lang expr Affected: < 1.17.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-29786",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-17T13:29:22.591802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-17T13:29:29.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "expr",
          "vendor": "expr-lang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn\u2019t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-23T16:29:26.719Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2"
        },
        {
          "name": "https://github.com/expr-lang/expr/pull/762",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/expr-lang/expr/pull/762"
        },
        {
          "name": "https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e"
        }
      ],
      "source": {
        "advisory": "GHSA-93mq-9ffx-83m2",
        "discovery": "UNKNOWN"
      },
      "title": "Memory Exhaustion in Expr Parser with Unrestricted Input"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-29786",
    "datePublished": "2025-03-17T13:15:32.836Z",
    "dateReserved": "2025-03-11T14:23:00.476Z",
    "dateUpdated": "2026-01-23T16:29:26.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-29786",
      "date": "2026-06-05",
      "epss": "0.00095",
      "percentile": "0.2639"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-29786\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-17T14:15:22.237\",\"lastModified\":\"2026-01-23T17:16:06.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn\u2019t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.\"},{\"lang\":\"es\",\"value\":\"Expr es un lenguaje de expresiones y un sistema de evaluaci\u00f3n de expresiones para Go. Antes de la versi\u00f3n 1.17.0, si el analizador de expresiones Expr recib\u00eda una cadena de entrada ilimitada, intentaba compilarla completa y generar un nodo de \u00c1rbol de Sintaxis Abstracta (AST) para cada parte de la expresi\u00f3n. En escenarios donde el tama\u00f1o de entrada no est\u00e1 limitado, una expresi\u00f3n extremadamente grande, maliciosa o inadvertida, puede consumir demasiada memoria mientras el analizador construye un AST enorme. Esto puede provocar un uso excesivo de memoria y un fallo del proceso por falta de memoria (OOM). Este problema es relativamente poco com\u00fan y solo se manifiesta cuando no hay restricciones en el tama\u00f1o de entrada, es decir, cuando se permite que la longitud de la expresi\u00f3n crezca arbitrariamente. En casos de uso t\u00edpicos donde las entradas est\u00e1n limitadas o validadas, este problema no se produc\u00eda. El problema se ha corregido en las \u00faltimas versiones de la librer\u00eda Expr. La correcci\u00f3n introduce l\u00edmites en tiempo de compilaci\u00f3n en el n\u00famero de nodos AST y el uso de memoria durante el an\u00e1lisis, lo que evita que una sola expresi\u00f3n agote los recursos. Los usuarios deben actualizar a la versi\u00f3n 1.17.0 de Expr o posterior, ya que esta versi\u00f3n incluye las nuevas protecciones de presupuesto de nodos y l\u00edmite de memoria. Actualizar a la versi\u00f3n 1.17.0 garantiza la detecci\u00f3n y cancelaci\u00f3n segura de expresiones extremadamente profundas o grandes durante la compilaci\u00f3n, evitando as\u00ed la condici\u00f3n OOM. Para los usuarios que no puedan actualizar inmediatamente, el workaround recomendada es imponer una restricci\u00f3n de tama\u00f1o de entrada antes del an\u00e1lisis. En la pr\u00e1ctica, esto significa validar o limitar la longitud de las cadenas de expresi\u00f3n que acepta la aplicaci\u00f3n. Por ejemplo, establezca un n\u00famero m\u00e1ximo permitido de caracteres (o nodos) para cualquier expresi\u00f3n y rechace o trunque las entradas que superen este l\u00edmite. Al garantizar que nunca se introduzca ninguna expresi\u00f3n de longitud ilimitada en el analizador, se puede evitar que el analizador construya un AST patol\u00f3gicamente grande y evitar el posible agotamiento de la memoria. En resumen, valide previamente y limite el tama\u00f1o de entrada como medida de seguridad en ausencia del parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/expr-lang/expr/pull/762\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-29786\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-17T13:29:22.591802Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-17T13:29:25.466Z\"}}], \"cna\": {\"title\": \"Memory Exhaustion in Expr Parser with Unrestricted Input\", \"source\": {\"advisory\": \"GHSA-93mq-9ffx-83m2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"expr-lang\", \"product\": \"expr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.17.0\"}]}], \"references\": [{\"url\": \"https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2\", \"name\": \"https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/expr-lang/expr/pull/762\", \"name\": \"https://github.com/expr-lang/expr/pull/762\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e\", \"name\": \"https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn\\u2019t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-23T16:29:26.719Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-29786\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-23T16:29:26.719Z\", \"dateReserved\": \"2025-03-11T14:23:00.476Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-17T13:15:32.836Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.