CVE-2025-29786

CVE-2025-29786 is a denial-of-service vulnerability in the Expr library, an expression language and evaluation tool for Go applications. Prior to version 1.17.0, the Expr expression parser processes unbounded input strings by compiling the entire expression into an Abstract Syntax Tree (AST), generating a node for each part. Without input size restrictions, a malicious or extremely large expression can cause the parser to build a massive AST, leading to excessive memory consumption and an Out-Of-Memory (OOM) crash in the affected process. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability can be exploited by any unauthenticated remote attacker who can supply an arbitrarily large expression string to an application using Expr without input validation or bounds. Typical exploitation requires scenarios where user-controlled inputs are parsed directly, such as in dynamic expression evaluation features. Successful attacks result in resource exhaustion, crashing the process and disrupting service availability, though no confidentiality or integrity impacts are possible.

Mitigation is addressed in Expr version 1.17.0 and later, which introduces compile-time limits on AST node count and memory usage during parsing to detect and abort excessively large expressions. The official GitHub security advisory (GHSA-93mq-9ffx-83m2), pull request #762, and commit 0d19441454426d2f58edb22c31f3ba5f99c7a26e detail the patch implementation. Users unable to upgrade immediately should implement workarounds by enforcing strict input size limits, such as maximum character lengths or node counts, and rejecting or truncating oversized expressions before parsing.