CVE-2025-68156 – This vulnerability in Expr for Go allows denial... (How to Fix)

Q: What is the severity of CVE-2025-68156?

CVE-2025-68156 has a CVSS score of 7.5 (HIGH). This vulnerability in Expr for Go allows denial-of-service attacks through stack overflow panics. Attackers can crash applications by providing deeply nested or cyclic data structures to certain builtin functions. It affects applications using Expr versions before 1.17.7 to evaluate expressions against untrusted data.

📋 TL;DR

This vulnerability in Expr for Go allows denial-of-service attacks through stack overflow panics. Attackers can crash applications by providing deeply nested or cyclic data structures to certain builtin functions. It affects applications using Expr versions before 1.17.7 to evaluate expressions against untrusted data.

💻 Affected Systems

Products:

Expr (Go expression language library)

Versions: All versions before 1.17.7

Operating Systems: All platforms running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the vulnerable builtin functions (flatten, min, max, mean, median) with untrusted data structures.

📦 What is this software?

Expr by Expr Lang

View all CVEs affecting Expr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash and denial of service, potentially affecting multiple users or services.

🟠

Likely Case

Application crashes when processing maliciously crafted input, causing service disruption.

🟢

If Mitigated

Graceful error handling with descriptive error messages instead of crashes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to influence evaluation environment data, but no authentication needed if input vectors exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.17.7

Vendor Advisory: https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6

Restart Required: Yes

Instructions:

Update go.mod to require expr v1.17.7 or later
Run 'go get github.com/expr-lang/expr@v1.17.7'
Rebuild and redeploy application

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate or sanitize externally supplied data structures before passing to Expr

Panic recovery wrapper

all

Wrap expression evaluation with panic recovery to prevent full process crash

🧯 If You Can't Patch

Ensure evaluation environments cannot contain cyclic references
Implement strict input validation for all data passed to Expr functions

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for expr versions before 1.17.7

Check Version:

grep 'expr-lang/expr' go.mod

Verify Fix Applied:

Verify expr version is 1.17.7 or later in go.mod

📡 Detection & Monitoring

Log Indicators:

Stack overflow panic messages
Application crash logs mentioning Expr functions
Unexpected process termination

Network Indicators:

Sudden service unavailability
Increased error rates in API responses

SIEM Query:

process:terminated AND (message:*panic* OR message:*stack*overflow*) AND source:expr

📊 Metadata

CVE ID: CVE-2025-68156

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.08% exploit probability (22.9th percentile)

Published: December 16, 2025

Last Updated: March 5, 2026

🔗 References

https://github.com/expr-lang/expr/pull/870 Issue Tracking,Patch
https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6 Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68156, you might also want to check these: