Description
Advisory CVE-2025-29786 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/expr-lang/expr |
Description:
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifes...
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-29786
- FIX: feat: add node budget and memory limits expr-lang/expr#762
- WEB: GHSA-93mq-9ffx-83m2
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/expr-lang/expr
vulnerable_at: 1.17.0
summary: CVE-2025-29786 in github.com/expr-lang/expr
cves:
- CVE-2025-29786
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-29786
- fix: https://github.com/expr-lang/expr/pull/762
- web: https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
source:
id: CVE-2025-29786
created: 2025-03-17T15:01:26.595720951Z
review_status: UNREVIEWED