CVE-2025-29786
📋 TL;DR
CVE-2025-29786 is a denial-of-service vulnerability in the Expr expression language for Go where unbounded input strings can cause excessive memory consumption and process crashes. This affects applications using Expr versions before 1.17.0 that accept untrusted expression input without size limits. The vulnerability allows attackers to cause out-of-memory conditions by submitting extremely large expressions.
💻 Affected Systems
- Expr expression language for Go
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through out-of-memory crashes, potentially leading to extended downtime and data loss in affected processes.
Likely Case
Service degradation or temporary unavailability when malicious actors submit large expressions to vulnerable endpoints.
If Mitigated
Minimal impact with proper input validation or patched versions, where large expressions are rejected before parsing.
🎯 Exploit Status
Exploitation requires ability to submit expression input to vulnerable endpoints. No authentication bypass needed if endpoint is publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.17.0 and later
Vendor Advisory: https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
Restart Required: No
Instructions:
1. Update Expr dependency to version 1.17.0 or later. 2. Run 'go get github.com/expr-lang/expr@v1.17.0'. 3. Rebuild and redeploy affected applications.
🔧 Temporary Workarounds
Input size restriction
allImplement maximum length validation for expression strings before parsing
// Example Go code: if len(expression) > MAX_EXPR_LENGTH { return error }
🧯 If You Can't Patch
- Implement strict input validation to reject expressions exceeding reasonable length limits
- Deploy rate limiting and input sanitization at API gateways or web application firewalls
🔍 How to Verify
Check if Vulnerable:
Check go.mod or go.sum for Expr dependency version below 1.17.0Check Version:
grep 'expr-lang/expr' go.mod || grep 'github.com/expr-lang/expr' go.sumVerify Fix Applied:
Confirm Expr version is 1.17.0+ in dependencies and test with large expression input📡 Detection & Monitoring
Log Indicators:
- Memory spike alerts
- Process crash/restart logs
- Unusually large input payloads in application logs
Network Indicators:
- Large POST requests to expression evaluation endpoints
- Repeated requests with increasing payload sizes
SIEM Query:
source="application.logs" AND ("out of memory" OR "OOM" OR "panic") AND "expr"