CVE-2025-29786 affects the expr-lang expression evaluation library for the Go programming language, specifically versions before 1.17.0. The vulnerability arises from the lack of resource allocation limits during parsing of input expressions. When the parser receives an unboundedly large input string, it attempts to compile the entire expression, generating an Abstract Syntax Tree (AST) node for each component. This process can consume excessive memory, leading to an Out-Of-Memory (OOM) crash of the hosting process. The root cause is the absence of throttling or limits on the number of AST nodes or memory usage during compilation. This vulnerability is categorized under CWE-770: Allocation of Resources Without Limits or Throttling. The issue is particularly relevant in scenarios where input size is not constrained or validated, such as exposed APIs or services accepting user-supplied expressions. The vulnerability has been addressed in expr version 1.17.0 by introducing compile-time safeguards that limit AST node count and memory consumption, aborting compilation safely if limits are exceeded. For users unable to upgrade immediately, the recommended mitigation is to enforce strict input size restrictions before parsing, such as maximum character counts or node limits, to prevent resource exhaustion. The CVSS v3.1 base score is 7.5 (high), reflecting the vulnerability's potential to cause denial-of-service without requiring authentication or user interaction. No known exploits have been reported in the wild as of the publication date.

For European organizations, the primary impact of CVE-2025-29786 is the risk of denial-of-service (DoS) conditions in applications using vulnerable versions of the expr-lang library. Such DoS events can lead to service outages, degraded performance, and potential disruption of critical business processes, especially in sectors relying on Go-based microservices, automation, or configuration evaluation that utilize expr. Memory exhaustion could also affect containerized environments or cloud-native deployments common in Europe, potentially causing cascading failures or increased operational costs. Since the vulnerability does not compromise confidentiality or integrity, the impact is limited to availability. However, availability disruptions in critical infrastructure, financial services, or public sector applications could have significant operational and reputational consequences. The absence of authentication or user interaction requirements means that any exposed service accepting expressions could be targeted remotely, increasing the attack surface. Organizations with strict uptime requirements or those operating in regulated industries must prioritize mitigation to maintain compliance and service reliability.

1. Upgrade all instances of the expr-lang library to version 1.17.0 or later, which includes built-in compile-time limits on AST nodes and memory usage to prevent resource exhaustion. 2. For environments where immediate upgrading is not feasible, implement strict input validation to limit the size and complexity of expressions accepted by the parser. This includes setting maximum allowable character lengths and rejecting or truncating inputs exceeding these thresholds. 3. Employ runtime monitoring and alerting on memory usage patterns in services utilizing expr to detect abnormal spikes indicative of attempted exploitation. 4. Use application-layer firewalls or API gateways to enforce input size restrictions and block suspiciously large or malformed expression payloads. 5. Conduct code reviews and penetration testing focused on expression evaluation components to identify and remediate any unbounded input handling. 6. Document and communicate the vulnerability and mitigation steps to development and operations teams to ensure consistent application of safeguards. 7. Consider implementing circuit breakers or resource quotas in container orchestration platforms to limit the impact of potential OOM conditions. These steps collectively reduce the risk of denial-of-service attacks exploiting this vulnerability.