Cyber Resilience

CVE-2025-29786

HighDDoS

Published: 17 March 2025

Published
17 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 26.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29786 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-29786 is a denial-of-service vulnerability in the Expr library, an expression language and evaluation tool for Go applications. Prior to version 1.17.0, the Expr expression parser processes unbounded input strings by compiling the entire expression into an Abstract Syntax Tree (AST), generating a node for each part. Without input size restrictions, a malicious or extremely large expression can cause the parser to build a massive AST, leading to excessive memory consumption and an Out-Of-Memory (OOM) crash in the affected process. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability can be exploited by any unauthenticated remote attacker who can supply an arbitrarily large expression string to an application using Expr without input validation or bounds. Typical exploitation requires scenarios where user-controlled inputs are parsed directly, such as in dynamic expression evaluation features. Successful attacks result in resource exhaustion, crashing the process and disrupting service availability, though no confidentiality or integrity impacts are possible.

Mitigation is addressed in Expr version 1.17.0 and later, which introduces compile-time limits on AST node count and memory usage during parsing to detect and abort excessively large expressions. The official GitHub security advisory (GHSA-93mq-9ffx-83m2), pull request #762, and commit 0d19441454426d2f58edb22c31f3ba5f99c7a26e detail the patch implementation. Users unable to upgrade immediately should implement workarounds by enforcing strict input size limits, such as maximum character lengths or node counts, and rejecting or truncating oversized expressions before parsing.

EU & UK References

Vulnerability details

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST)…

more

node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote resource exhaustion via unbounded AST parsing leading to OOM crash, directly mapping to Endpoint Denial of Service through Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

Expr
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of input expressions, including size limits, to prevent processing unbounded strings that cause excessive AST memory allocation and OOM crashes.

prevent

Restricts the quantity and types of inputs to the Expr parser, such as maximum string length, avoiding resource exhaustion from arbitrarily large expressions.

prevent

Mandates timely flaw remediation by upgrading to Expr v1.17.0 or later, which adds compile-time node and memory limits to block vulnerable parsing.

References