CVE-2025-68156Allocation of Resources Without Limits or Throttling in Expr-lang Expr

CWE-770Allocation of Resources Without Limits or Throttling9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 87.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Github.com Expr-lang ExprExpr-lang ExprDebian Golang-github-antonmedv-expr+3 more
Timeline
PublishedDec 16
Latest updateDec 22

Description

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

NVDexpr-lang/expr< 1.17.7

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Expr has Denial of Service via Unbounded Recursion in Builtin Functions in github.com/expr-lang/expr2025-12-22
OSV
Expr has Denial of Service via Unbounded Recursion in Builtin Functions2025-12-16
GHSA
Expr has Denial of Service via Unbounded Recursion in Builtin Functions2025-12-16
OSV
CVE-2025-68156: Expr is an expression language and expression evaluation for Go2025-12-16

📋Vendor Advisories

3
Red Hat
github.com/expr-lang/expr: Expr: Denial of Service via uncontrolled recursion in expression evaluation2025-12-16
Microsoft
Expr has Denial of Service via Unbounded Recursion in Builtin Functions2025-12-09
Debian
CVE-2025-68156: golang-github-antonmedv-expr - Expr is an expression language and expression evaluation for Go. Prior to versio...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-68156 Impact, Exploitability, and Mitigation Steps | Wiz