CVE-2025-29786
Published: 17 March 2025
Summary
CVE-2025-29786 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-29786 is a denial-of-service vulnerability in the Expr library, an expression language and evaluation tool for Go applications. Prior to version 1.17.0, the Expr expression parser processes unbounded input strings by compiling the entire expression into an Abstract Syntax Tree (AST), generating a node for each part. Without input size restrictions, a malicious or extremely large expression can cause the parser to build a massive AST, leading to excessive memory consumption and an Out-Of-Memory (OOM) crash in the affected process. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited by any unauthenticated remote attacker who can supply an arbitrarily large expression string to an application using Expr without input validation or bounds. Typical exploitation requires scenarios where user-controlled inputs are parsed directly, such as in dynamic expression evaluation features. Successful attacks result in resource exhaustion, crashing the process and disrupting service availability, though no confidentiality or integrity impacts are possible.
Mitigation is addressed in Expr version 1.17.0 and later, which introduces compile-time limits on AST node count and memory usage during parsing to detect and abort excessively large expressions. The official GitHub security advisory (GHSA-93mq-9ffx-83m2), pull request #762, and commit 0d19441454426d2f58edb22c31f3ba5f99c7a26e detail the patch implementation. Users unable to upgrade immediately should implement workarounds by enforcing strict input size limits, such as maximum character lengths or node counts, and rejecting or truncating oversized expressions before parsing.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6527
Vulnerability details
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST)…
more
node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote resource exhaustion via unbounded AST parsing leading to OOM crash, directly mapping to Endpoint Denial of Service through Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of input expressions, including size limits, to prevent processing unbounded strings that cause excessive AST memory allocation and OOM crashes.
Restricts the quantity and types of inputs to the Expr parser, such as maximum string length, avoiding resource exhaustion from arbitrarily large expressions.
Mandates timely flaw remediation by upgrading to Expr v1.17.0 or later, which adds compile-time node and memory limits to block vulnerable parsing.