CVE-2025-29786

Summary

CVE-2025-29786 is a vulnerability affecting the Expr expression language and evaluation library for Go. Prior to version 1.17.0, the Expr parser attempted to compile unbounded input strings, creating an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn't limited, this could lead to excessive memory usage and an Out-Of-Memory (OOM) crash. The issue is uncommon and only occurs when there are no restrictions on input size. The latest versions of the Expr library (1.17.0 and later) include compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users are advised to upgrade to the latest version or impose an input size restriction before parsing to prevent potential memory exhaustion.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.