The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-29786

CVE-2025-29786: Expr for Go DoS Vulnerability

CVE-2025-29786 is a denial of service vulnerability in Expr for Go caused by unbounded input processing that leads to excessive memory consumption. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-29786 Overview

CVE-2025-29786 is a Resource Exhaustion vulnerability in Expr, an expression language and expression evaluation library for Go. Prior to version 1.17.0, the Expr expression parser does not impose limits on input size, allowing an attacker to supply an extremely large expression string that causes the parser to build a massive Abstract Syntax Tree (AST). This unbounded memory allocation can lead to Out-Of-Memory (OOM) conditions, ultimately crashing the affected process.

Critical Impact

Applications using the Expr library without input validation are vulnerable to denial of service attacks through memory exhaustion, potentially causing service disruption and system instability.

Affected Products

  • Expr (expr-lang/expr) versions prior to 1.17.0
  • Go applications integrating the Expr expression evaluation library without input size restrictions

Discovery Timeline

  • 2025-03-17 - CVE-2025-29786 published to NVD
  • 2025-03-17 - Last updated in NVD database

Technical Details for CVE-2025-29786

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in the Expr library's parsing mechanism, which processes expression strings without any constraints on input size or AST complexity. When the parser encounters an expression string, it attempts to compile the entire input and generates an AST node for each component of the expression.

In attack scenarios, a malicious actor can craft or submit an arbitrarily large expression string to any application endpoint that uses Expr for expression evaluation. As the parser processes this oversized input, it allocates memory for each AST node without checking cumulative resource consumption. This can rapidly exhaust available memory, leading to an OOM condition that crashes the process.

The vulnerability is network-exploitable with low attack complexity, requiring no privileges or user interaction. However, it only affects confidentiality, integrity, and availability in terms of service disruption—specifically targeting availability through denial of service.

Root Cause

The root cause of CVE-2025-29786 is the absence of compile-time limits on AST node count and memory usage during the expression parsing phase. The parser was designed to handle expressions of any size without safeguards, which is problematic when applications accept untrusted or unvalidated input strings. Without boundaries on resource allocation, the parser continues building the AST until either completion or system memory exhaustion.

Attack Vector

This vulnerability can be exploited remotely over the network. An attacker targeting an application that uses Expr for dynamic expression evaluation can submit a maliciously crafted, extremely large expression string through any input mechanism (API endpoints, form fields, configuration files, etc.). The attack does not require authentication or any special privileges.

The exploitation mechanism works as follows: the oversized expression forces the parser to allocate memory continuously as it builds an increasingly large AST. Since no limits exist on the number of nodes or total memory usage, the parser will attempt to process the entire expression, regardless of length. This memory consumption can grow until the operating system terminates the process due to OOM conditions, effectively causing a denial of service.

For technical implementation details, refer to the GitHub Pull Request #762 which contains the patch introducing resource limits.

Detection Methods for CVE-2025-29786

Indicators of Compromise

  • Unusually large memory consumption by applications using the Expr library
  • Process crashes or OOM killer invocations coinciding with expression evaluation operations
  • Incoming requests containing abnormally long expression strings
  • Application logs showing parsing failures or timeouts on expression evaluation

Detection Strategies

  • Monitor application memory usage patterns and alert on sudden spikes during expression parsing operations
  • Implement request logging to capture and analyze the size of expression strings being submitted
  • Deploy application-level monitoring to track AST compilation times and resource consumption
  • Review web application firewall (WAF) logs for requests with unusually large payloads targeting expression evaluation endpoints

Monitoring Recommendations

  • Configure memory threshold alerts for processes running Expr-based expression evaluation
  • Implement request size monitoring at load balancers and API gateways
  • Enable detailed logging for expression parsing operations to capture attempted exploitation
  • Set up crash dump analysis to identify OOM-related failures linked to expression processing

How to Mitigate CVE-2025-29786

Immediate Actions Required

  • Upgrade to Expr version 1.17.0 or later immediately
  • Audit all application code to identify where Expr is used for expression evaluation
  • Implement input validation to restrict expression string length before parsing
  • Review API endpoints and user-facing features that accept expression inputs for potential exposure

Patch Information

The vulnerability has been patched in Expr version 1.17.0. This release introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting system resources. The fix ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding OOM conditions.

For detailed patch information, see the GitHub Security Advisory and the related pull request.

Workarounds

  • Impose a maximum character limit on expression strings before passing them to the parser
  • Implement application-level validation to reject or truncate expressions exceeding a defined threshold
  • Deploy rate limiting on endpoints that accept expression inputs to slow potential exploitation attempts
  • Use resource quotas (cgroups, container limits) to constrain memory available to affected processes
bash
# Example: Go application input validation before Expr parsing
# Validate expression length before parsing
MAX_EXPR_LENGTH=10000
# In your application code, check len(expression) < MAX_EXPR_LENGTH before calling expr.Compile()
# Reject or truncate any expression exceeding this limit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechExpr
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.13%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-770
  • Technical References
  • GitHub Pull Request
  • GitHub Security Advisory
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English