CVE-2025-29786 — Allocation of Resources Without Limits or Throttling in Expr

CWE-770 — Allocation of Resources Without Limits or Throttling8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 72.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Expr-lang Expr Github.com Expr-lang Expr Debian Golang-github-antonmedv-expr +8 more

Timeline

PublishedMar 17

Latest updateMar 18

Description

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

▶CVEListV5expr-lang/expr< 1.17.0

▶Gogithub.com/expr-lang_expr< 1.17.0

▶debiandebian/golang-github-antonmedv-expr

▶msrcmsrc/azl3_ig_0.37.0-3_on_azure_linux_3.0

▶msrcmsrc/azl3_ig_0.37.0-4_on_azure_linux_3.0

🔴Vulnerability Details

OSV

Memory Exhaustion in Expr Parser with Unrestricted Input in github.com/expr-lang/expr↗2025-03-18

▶

OSV

Memory Exhaustion in Expr Parser with Unrestricted Input↗2025-03-17

▶

OSV

CVE-2025-29786: Expr is an expression language and expression evaluation for Go↗2025-03-17

▶

GHSA

Memory Exhaustion in Expr Parser with Unrestricted Input↗2025-03-17

▶

📋Vendor Advisories

Red Hat

github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input↗2025-03-17

▶

Microsoft

Memory Exhaustion in Expr Parser with Unrestricted Input↗2025-03-11

▶

Debian

CVE-2025-29786: golang-github-antonmedv-expr - Expr is an expression language and expression evaluation for Go. Prior to versio...↗2025

▶