CVE-2025-68156: CWE-770: Allocation of Resources Without Limits or Throttling in expr-lang expr
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.
AI Analysis
Technical Summary
CVE-2025-68156 is a vulnerability in the expr-lang library, a Go-based expression language and evaluation tool. Prior to version 1.17.7, several builtin functions (flatten, min, max, mean, median) perform recursive traversals over user-supplied data structures without enforcing a maximum recursion depth. This lack of throttling allows an attacker to supply deeply nested or cyclic data structures that cause the recursion to continue indefinitely until the Go runtime stack limit is exceeded, resulting in a stack overflow panic. This panic causes the host application to crash abruptly, leading to a denial-of-service (DoS) condition. The vulnerability is particularly relevant when expr-lang is used to evaluate expressions against externally supplied or dynamically constructed environments where cyclic references can be introduced in arrays, maps, or structs. Typical use cases with controlled, acyclic data do not manifest this issue. The patch in version 1.17.7 introduces a configurable maximum recursion depth for the affected builtin functions, enabling graceful aborts with descriptive errors instead of panics. For users unable to upgrade immediately, recommended mitigations include ensuring no cyclic references exist in evaluation environments, validating or sanitizing input data, and wrapping expression evaluation with panic recovery to prevent full process crashes. The CVSS v3.1 score is 7.5 (high), reflecting the vulnerability's network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (denial of service). No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the primary impact of CVE-2025-68156 is denial of service due to application crashes when processing maliciously crafted or malformed input data in expr-lang-based systems. This can disrupt backend services, APIs, or microservices that rely on expr for expression evaluation, potentially affecting business continuity and service availability. Industries with high reliance on Go-based infrastructure, such as fintech, telecommunications, cloud service providers, and software development firms, may experience operational interruptions. The vulnerability does not directly compromise confidentiality or integrity but can be leveraged by attackers to cause persistent service outages. In multi-tenant or cloud environments, this could lead to cascading failures or impact multiple customers. The ease of exploitation without authentication increases risk, especially in public-facing services that accept user input evaluated by expr. Organizations that do not sanitize or validate input data or lack panic recovery mechanisms are particularly vulnerable. The availability impact may also affect compliance with European regulations requiring service continuity and incident management, such as GDPR and NIS Directive.
Mitigation Recommendations
The most effective mitigation is to upgrade expr-lang to version 1.17.7 or later, which includes a maximum recursion depth limit and graceful error handling to prevent stack overflow panics. For organizations unable to upgrade immediately, implement strict validation and sanitization of all externally supplied or dynamically constructed data structures passed to expr to ensure they do not contain cyclic references or excessive nesting. Introduce application-level safeguards that detect and reject or flatten deeply nested data before evaluation. Wrap expression evaluation calls with panic recovery mechanisms in Go to prevent process crashes from propagating and causing service outages. Additionally, configure the maximum recursion depth parameter (builtin.MaxDepth) in the patched version to balance between legitimate deep data structures and security. Conduct thorough testing of expression evaluation components under various input scenarios to identify potential recursion risks. Monitor application logs for stack overflow panics or crashes indicative of exploitation attempts. Finally, review and update incident response plans to include detection and mitigation of expr-lang related DoS attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Poland, Italy, Spain
CVE-2025-68156: CWE-770: Allocation of Resources Without Limits or Throttling in expr-lang expr
Description
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.
AI-Powered Analysis
Technical Analysis
CVE-2025-68156 is a vulnerability in the expr-lang library, a Go-based expression language and evaluation tool. Prior to version 1.17.7, several builtin functions (flatten, min, max, mean, median) perform recursive traversals over user-supplied data structures without enforcing a maximum recursion depth. This lack of throttling allows an attacker to supply deeply nested or cyclic data structures that cause the recursion to continue indefinitely until the Go runtime stack limit is exceeded, resulting in a stack overflow panic. This panic causes the host application to crash abruptly, leading to a denial-of-service (DoS) condition. The vulnerability is particularly relevant when expr-lang is used to evaluate expressions against externally supplied or dynamically constructed environments where cyclic references can be introduced in arrays, maps, or structs. Typical use cases with controlled, acyclic data do not manifest this issue. The patch in version 1.17.7 introduces a configurable maximum recursion depth for the affected builtin functions, enabling graceful aborts with descriptive errors instead of panics. For users unable to upgrade immediately, recommended mitigations include ensuring no cyclic references exist in evaluation environments, validating or sanitizing input data, and wrapping expression evaluation with panic recovery to prevent full process crashes. The CVSS v3.1 score is 7.5 (high), reflecting the vulnerability's network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (denial of service). No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the primary impact of CVE-2025-68156 is denial of service due to application crashes when processing maliciously crafted or malformed input data in expr-lang-based systems. This can disrupt backend services, APIs, or microservices that rely on expr for expression evaluation, potentially affecting business continuity and service availability. Industries with high reliance on Go-based infrastructure, such as fintech, telecommunications, cloud service providers, and software development firms, may experience operational interruptions. The vulnerability does not directly compromise confidentiality or integrity but can be leveraged by attackers to cause persistent service outages. In multi-tenant or cloud environments, this could lead to cascading failures or impact multiple customers. The ease of exploitation without authentication increases risk, especially in public-facing services that accept user input evaluated by expr. Organizations that do not sanitize or validate input data or lack panic recovery mechanisms are particularly vulnerable. The availability impact may also affect compliance with European regulations requiring service continuity and incident management, such as GDPR and NIS Directive.
Mitigation Recommendations
The most effective mitigation is to upgrade expr-lang to version 1.17.7 or later, which includes a maximum recursion depth limit and graceful error handling to prevent stack overflow panics. For organizations unable to upgrade immediately, implement strict validation and sanitization of all externally supplied or dynamically constructed data structures passed to expr to ensure they do not contain cyclic references or excessive nesting. Introduce application-level safeguards that detect and reject or flatten deeply nested data before evaluation. Wrap expression evaluation calls with panic recovery mechanisms in Go to prevent process crashes from propagating and causing service outages. Additionally, configure the maximum recursion depth parameter (builtin.MaxDepth) in the patched version to balance between legitimate deep data structures and security. Conduct thorough testing of expression evaluation components under various input scenarios to identify potential recursion risks. Monitor application logs for stack overflow panics or crashes indicative of exploitation attempts. Finally, review and update incident response plans to include detection and mitigation of expr-lang related DoS attacks.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-15T23:02:17.604Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6941ae5b0d5f6f4391b0c394
Added to database: 12/16/2025, 7:09:15 PM
Last enriched: 12/16/2025, 7:10:19 PM
Last updated: 12/18/2025, 12:29:15 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14618: CWE-862 Missing Authorization in listingthemes Sweet Energy Efficiency
MediumCVE-2025-14437: CWE-532 Insertion of Sensitive Information into Log File in wpmudev Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN
HighCVE-2025-14277: CWE-918 Server-Side Request Forgery (SSRF) in bdthemes Prime Slider – Addons for Elementor
MediumCVE-2025-13110: CWE-639 Authorization Bypass Through User-Controlled Key in realmag777 HUSKY – Products Filter Professional for WooCommerce
MediumCVE-2025-10910: CWE-639 Authorization Bypass Through User-Controlled Key in Govee H6056
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.