Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68156

CVE-2025-68156: Expr-lang Expr DoS Vulnerability

CVE-2025-68156 is a denial-of-service vulnerability in Expr-lang Expr caused by unlimited recursion in builtin functions. Attackers can crash applications using deeply nested data. Learn about affected versions and patches.

Published: April 14, 2026

CVE-2025-68156 Overview

CVE-2025-68156 is a denial of service vulnerability in Expr, an expression language and expression evaluation library for Go. Prior to version 1.17.7, several builtin functions in Expr, including flatten, min, max, mean, and median, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceeding the Go runtime stack limit, resulting in a stack overflow panic that causes the host application to crash.

Critical Impact

Attackers can crash applications using Expr by providing deeply nested or cyclic data structures to builtin functions, causing stack exhaustion and denial of service without the ability to recover gracefully.

Affected Products

  • Expr-lang Expr versions prior to 1.17.7
  • Go applications using the expr-lang/expr library with vulnerable builtin functions
  • Systems evaluating expressions against externally supplied or dynamically constructed environments

Discovery Timeline

  • 2025-12-16 - CVE CVE-2025-68156 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-68156

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue stems from several builtin functions within the Expr library performing unbounded recursive operations on user-controlled data structures. When these functions encounter deeply nested arrays, maps, or structs—or data structures containing cyclic references—they continue recursing without any depth limitations until the Go runtime's stack is exhausted.

The affected builtin functions (flatten, min, max, mean, and median) are commonly used for data manipulation and aggregation operations. Each of these functions traverses input data structures recursively to perform their operations, making them susceptible to stack exhaustion attacks when processing maliciously crafted inputs.

Root Cause

The root cause is the absence of recursion depth limits in the affected builtin functions. When these functions process data structures, they recursively descend into nested elements without tracking or limiting the recursion depth. Go's runtime has a finite stack size, and when this limit is exceeded through deep recursion, the runtime triggers a stack overflow panic. Unlike recoverable errors, this panic terminates the process unless caught by panic recovery mechanisms higher in the call stack.

Attack Vector

The attack vector is network-accessible, requiring no authentication or user interaction. An attacker can exploit this vulnerability by injecting or influencing the data structures that are passed to Expr for expression evaluation. The attack is particularly relevant in scenarios where:

  • Expr evaluates expressions against externally supplied or dynamically constructed environments
  • Cyclic references can be introduced into arrays, maps, or structs (directly or indirectly)
  • No application-level safeguards prevent deeply nested input data

The attacker constructs a deeply nested or cyclic data structure and triggers evaluation of an expression that invokes one of the vulnerable builtin functions (such as flatten(malicious_data) or max(nested_array)). When the function attempts to traverse this structure, the unbounded recursion exhausts the stack, causing a process-level crash.

Detection Methods for CVE-2025-68156

Indicators of Compromise

  • Application crashes with Go runtime stack overflow panics during expression evaluation
  • Unexpected process terminations in services using the Expr library
  • Error logs showing panic messages related to stack exhaustion in flatten, min, max, mean, or median functions
  • Unusually deep or cyclic data structures appearing in input data streams

Detection Strategies

  • Monitor application logs for stack overflow panic messages originating from Expr library functions
  • Implement application-level monitoring to detect sudden process terminations during expression evaluation
  • Review input validation logs for deeply nested JSON or data structures being submitted to expression evaluation endpoints
  • Audit dependencies to identify applications using expr-lang/expr versions prior to 1.17.7

Monitoring Recommendations

  • Set up alerting for repeated application crashes or restarts in services utilizing Expr
  • Implement structured logging around expression evaluation calls to capture input characteristics
  • Monitor memory and CPU usage patterns that may indicate recursive processing of malicious inputs
  • Deploy application health checks that detect and report stack overflow conditions

How to Mitigate CVE-2025-68156

Immediate Actions Required

  • Upgrade to Expr version 1.17.7 or later, which includes recursion depth limits for affected builtin functions
  • Audit applications using Expr to identify expression evaluation endpoints that accept external input
  • Implement input validation to reject data structures with excessive nesting depth before passing to Expr
  • Wrap expression evaluation calls with panic recovery as a defensive measure to prevent full process crashes

Patch Information

The vulnerability has been fixed in Expr version 1.17.7. The patch introduces a maximum recursion depth limit for the affected builtin functions (flatten, min, max, mean, and median). When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via builtin.MaxDepth, allowing applications with legitimate deep structures to raise the limit in a controlled manner.

For detailed patch information, refer to the GitHub Pull Request #870 and the GitHub Security Advisory GHSA-cfpf-hrx2-8rv6.

Workarounds

  • Ensure that evaluation environments cannot contain cyclic references by implementing cycle detection before evaluation
  • Validate or sanitize externally supplied data structures before passing them to Expr, enforcing maximum nesting depth limits
  • Wrap expression evaluation with panic recovery using Go's recover() mechanism to prevent full process crashes (as a last-resort defensive measure)
  • Implement rate limiting and request size limits on endpoints that accept data for expression evaluation
bash
# Example: Update expr-lang/expr dependency to patched version
go get github.com/expr-lang/expr@v1.17.7
go mod tidy

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechExpr
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-770
  • Vendor Resources
  • GitHub Pull Request
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2025-29786: Expr for Go DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English