CVE-2025-29786: CWE-770: Allocation of Resources Without Limits or Throttling in expr-lang expr
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.
AI Analysis
Technical Summary
CVE-2025-29786 affects the expr-lang expression evaluation library for the Go programming language, specifically versions before 1.17.0. The vulnerability arises from the lack of resource allocation limits during parsing of input expressions. When the parser receives an unboundedly large input string, it attempts to compile the entire expression, generating an Abstract Syntax Tree (AST) node for each component. This process can consume excessive memory, leading to an Out-Of-Memory (OOM) crash of the hosting process. The root cause is the absence of throttling or limits on the number of AST nodes or memory usage during compilation. This vulnerability is categorized under CWE-770: Allocation of Resources Without Limits or Throttling. The issue is particularly relevant in scenarios where input size is not constrained or validated, such as exposed APIs or services accepting user-supplied expressions. The vulnerability has been addressed in expr version 1.17.0 by introducing compile-time safeguards that limit AST node count and memory consumption, aborting compilation safely if limits are exceeded. For users unable to upgrade immediately, the recommended mitigation is to enforce strict input size restrictions before parsing, such as maximum character counts or node limits, to prevent resource exhaustion. The CVSS v3.1 base score is 7.5 (high), reflecting the vulnerability's potential to cause denial-of-service without requiring authentication or user interaction. No known exploits have been reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2025-29786 is the risk of denial-of-service (DoS) conditions in applications using vulnerable versions of the expr-lang library. Such DoS events can lead to service outages, degraded performance, and potential disruption of critical business processes, especially in sectors relying on Go-based microservices, automation, or configuration evaluation that utilize expr. Memory exhaustion could also affect containerized environments or cloud-native deployments common in Europe, potentially causing cascading failures or increased operational costs. Since the vulnerability does not compromise confidentiality or integrity, the impact is limited to availability. However, availability disruptions in critical infrastructure, financial services, or public sector applications could have significant operational and reputational consequences. The absence of authentication or user interaction requirements means that any exposed service accepting expressions could be targeted remotely, increasing the attack surface. Organizations with strict uptime requirements or those operating in regulated industries must prioritize mitigation to maintain compliance and service reliability.
Mitigation Recommendations
1. Upgrade all instances of the expr-lang library to version 1.17.0 or later, which includes built-in compile-time limits on AST nodes and memory usage to prevent resource exhaustion. 2. For environments where immediate upgrading is not feasible, implement strict input validation to limit the size and complexity of expressions accepted by the parser. This includes setting maximum allowable character lengths and rejecting or truncating inputs exceeding these thresholds. 3. Employ runtime monitoring and alerting on memory usage patterns in services utilizing expr to detect abnormal spikes indicative of attempted exploitation. 4. Use application-layer firewalls or API gateways to enforce input size restrictions and block suspiciously large or malformed expression payloads. 5. Conduct code reviews and penetration testing focused on expression evaluation components to identify and remediate any unbounded input handling. 6. Document and communicate the vulnerability and mitigation steps to development and operations teams to ensure consistent application of safeguards. 7. Consider implementing circuit breakers or resource quotas in container orchestration platforms to limit the impact of potential OOM conditions. These steps collectively reduce the risk of denial-of-service attacks exploiting this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2025-29786: CWE-770: Allocation of Resources Without Limits or Throttling in expr-lang expr
Description
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.
AI-Powered Analysis
Technical Analysis
CVE-2025-29786 affects the expr-lang expression evaluation library for the Go programming language, specifically versions before 1.17.0. The vulnerability arises from the lack of resource allocation limits during parsing of input expressions. When the parser receives an unboundedly large input string, it attempts to compile the entire expression, generating an Abstract Syntax Tree (AST) node for each component. This process can consume excessive memory, leading to an Out-Of-Memory (OOM) crash of the hosting process. The root cause is the absence of throttling or limits on the number of AST nodes or memory usage during compilation. This vulnerability is categorized under CWE-770: Allocation of Resources Without Limits or Throttling. The issue is particularly relevant in scenarios where input size is not constrained or validated, such as exposed APIs or services accepting user-supplied expressions. The vulnerability has been addressed in expr version 1.17.0 by introducing compile-time safeguards that limit AST node count and memory consumption, aborting compilation safely if limits are exceeded. For users unable to upgrade immediately, the recommended mitigation is to enforce strict input size restrictions before parsing, such as maximum character counts or node limits, to prevent resource exhaustion. The CVSS v3.1 base score is 7.5 (high), reflecting the vulnerability's potential to cause denial-of-service without requiring authentication or user interaction. No known exploits have been reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2025-29786 is the risk of denial-of-service (DoS) conditions in applications using vulnerable versions of the expr-lang library. Such DoS events can lead to service outages, degraded performance, and potential disruption of critical business processes, especially in sectors relying on Go-based microservices, automation, or configuration evaluation that utilize expr. Memory exhaustion could also affect containerized environments or cloud-native deployments common in Europe, potentially causing cascading failures or increased operational costs. Since the vulnerability does not compromise confidentiality or integrity, the impact is limited to availability. However, availability disruptions in critical infrastructure, financial services, or public sector applications could have significant operational and reputational consequences. The absence of authentication or user interaction requirements means that any exposed service accepting expressions could be targeted remotely, increasing the attack surface. Organizations with strict uptime requirements or those operating in regulated industries must prioritize mitigation to maintain compliance and service reliability.
Mitigation Recommendations
1. Upgrade all instances of the expr-lang library to version 1.17.0 or later, which includes built-in compile-time limits on AST nodes and memory usage to prevent resource exhaustion. 2. For environments where immediate upgrading is not feasible, implement strict input validation to limit the size and complexity of expressions accepted by the parser. This includes setting maximum allowable character lengths and rejecting or truncating inputs exceeding these thresholds. 3. Employ runtime monitoring and alerting on memory usage patterns in services utilizing expr to detect abnormal spikes indicative of attempted exploitation. 4. Use application-layer firewalls or API gateways to enforce input size restrictions and block suspiciously large or malformed expression payloads. 5. Conduct code reviews and penetration testing focused on expression evaluation components to identify and remediate any unbounded input handling. 6. Document and communicate the vulnerability and mitigation steps to development and operations teams to ensure consistent application of safeguards. 7. Consider implementing circuit breakers or resource quotas in container orchestration platforms to limit the impact of potential OOM conditions. These steps collectively reduce the risk of denial-of-service attacks exploiting this vulnerability.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-03-11T14:23:00.476Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6973a6f24623b1157c4f2e12
Added to database: 1/23/2026, 4:50:58 PM
Last enriched: 1/23/2026, 5:05:16 PM
Last updated: 2/5/2026, 1:05:10 PM
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1517: SQL Injection in iomad
MediumCVE-2026-23572: CWE-863 Incorrect Authorization in TeamViewer Remote
HighCVE-2026-1966: CWE-522 Insufficiently Protected Credentials in YugabyteDB Inc YugabyteDB Anywhere
LowCVE-2026-23797: CWE-256 Plaintext Storage of a Password in OpenSolution Quick.Cart
MediumCVE-2026-23796: CWE-384 Session Fixation in OpenSolution Quick.Cart
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.