CVE-2025-62162
📋 TL;DR
A vulnerability in cel-rust allows attackers to cause denial of service by sending specially crafted CEL expressions. This affects systems using cel-rust versions 0.10.0 through 0.11.3 to evaluate untrusted user input, such as APIs that process user-supplied expressions. The parser panics and terminates the process when encountering malformed input.
💻 Affected Systems
- cel-rust
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to process termination, potentially affecting multiple services if cel-rust is used in critical components.
Likely Case
Service disruption for applications evaluating untrusted CEL expressions, leading to temporary downtime until processes restart.
If Mitigated
Minimal impact if input validation or rate limiting prevents malicious payloads from reaching the vulnerable parser.
🎯 Exploit Status
Exploitation requires sending malformed CEL expressions to vulnerable endpoints. No authentication needed if API is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.11.4
Vendor Advisory: https://github.com/cel-rust/cel-rust/security/advisories/GHSA-wxwx-9fh7-5mrw
Restart Required: Yes
Instructions:
1. Update Cargo.toml to require cel-rust >=0.11.4. 2. Run 'cargo update'. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Input validation
allImplement strict validation of CEL expressions before passing to parser
Rate limiting
allLimit request frequency to prevent DoS attacks
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block malformed CEL expressions
- Isolate vulnerable services behind reverse proxies with request filtering
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock or Cargo.toml for cel-rust dependency version between 0.10.0 and 0.11.3Check Version:
grep -A2 -B2 'cel-rust' Cargo.lockVerify Fix Applied:
Confirm cel-rust version is 0.11.4 or higher in Cargo.lock📡 Detection & Monitoring
Log Indicators:
- Process termination/crash logs from cel-rust applications
- Panic messages containing 'cel-rust' or 'parser'
Network Indicators:
- Unusual volume of requests to CEL expression endpoints
- Requests containing malformed CEL syntax
SIEM Query:
source="application.logs" AND ("panic" OR "crash") AND "cel-rust"