CVE-2025-68156 is a vulnerability in the expr-lang Go library, specifically in versions before 1.17.7, where several builtin functions (flatten, min, max, mean, median) perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. This lack of limits allows an attacker to supply deeply nested or cyclic data structures that cause the recursive functions to recurse indefinitely until the Go runtime stack limit is exceeded, resulting in a stack overflow panic and crashing the host application. The vulnerability represents a denial-of-service (DoS) risk because the process terminates unexpectedly rather than returning a recoverable error. Exploitability depends on the ability of an attacker to influence or inject cyclic or pathologically deep data into the evaluation environment, which is common in scenarios where expr-lang evaluates expressions against externally supplied or dynamically constructed data. The issue is mitigated in version 1.17.7 by introducing a maximum recursion depth limit for affected functions, which aborts evaluation gracefully with a descriptive error when exceeded. This limit is customizable via the builtin.MaxDepth parameter, allowing legitimate deep structures to be handled safely. For users unable to upgrade immediately, recommended mitigations include preventing cyclic references in evaluation environments, validating or sanitizing external data before evaluation, and wrapping expression evaluation with panic recovery to avoid full process crashes. The vulnerability has a CVSS 3.1 score of 7.5 (high severity), reflecting its network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (denial of service). No known exploits are reported in the wild yet.

For European organizations, this vulnerability poses a significant risk of denial-of-service attacks against applications using vulnerable versions of expr-lang to evaluate expressions on untrusted or dynamically constructed data. Critical services relying on expr-lang for configuration, policy evaluation, or data processing could be disrupted by crafted inputs causing application crashes. This can lead to service downtime, loss of availability, and potential cascading effects on dependent systems. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure that utilize Go-based microservices or automation tools incorporating expr-lang are particularly vulnerable. The lack of authentication or user interaction requirements means remote attackers can exploit this vulnerability over the network if the application exposes expression evaluation functionality. While the vulnerability does not affect confidentiality or integrity directly, the availability impact can degrade operational continuity and erode trust in affected services. Additionally, denial-of-service conditions could be leveraged as part of multi-stage attacks or to distract from other malicious activities.

The primary mitigation is to upgrade all instances of expr-lang to version 1.17.7 or later, which includes a recursion depth limit and graceful error handling to prevent stack overflow panics. Organizations should audit their codebases and dependencies to identify usage of vulnerable expr-lang versions. For environments where immediate upgrade is not feasible, implement input validation and sanitization to detect and reject cyclic or excessively deep data structures before evaluation. Developers should enforce application-level safeguards to prevent injection of maliciously crafted data into the evaluation environment. Additionally, wrapping expression evaluation calls with panic recovery mechanisms can prevent full process crashes, allowing the application to handle errors more gracefully. Monitoring and logging expression evaluation failures can help detect attempted exploitation. Security teams should also review network exposure of services using expr-lang to limit attacker access. Incorporating these mitigations reduces risk until patching can be completed.