Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68156

CVE-2025-68156: Expr-lang Expr DoS Vulnerability

CVE-2025-68156 is a denial-of-service vulnerability in Expr-lang Expr caused by unlimited recursion in builtin functions. Attackers can crash applications using deeply nested data. Learn about affected versions and patches.

Published:

CVE-2025-68156 Overview

CVE-2025-68156 is a denial of service vulnerability in Expr, an expression language and expression evaluation library for Go. Prior to version 1.17.7, several builtin functions in Expr, including flatten, min, max, mean, and median, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceeding the Go runtime stack limit, resulting in a stack overflow panic that causes the host application to crash.

Critical Impact

Attackers can crash applications using Expr by providing deeply nested or cyclic data structures to builtin functions, causing stack exhaustion and denial of service without the ability to recover gracefully.

Affected Products

  • Expr-lang Expr versions prior to 1.17.7
  • Go applications using the expr-lang/expr library with vulnerable builtin functions
  • Systems evaluating expressions against externally supplied or dynamically constructed environments

Discovery Timeline

  • 2025-12-16 - CVE CVE-2025-68156 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-68156

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue stems from several builtin functions within the Expr library performing unbounded recursive operations on user-controlled data structures. When these functions encounter deeply nested arrays, maps, or structs—or data structures containing cyclic references—they continue recursing without any depth limitations until the Go runtime's stack is exhausted.

The affected builtin functions (flatten, min, max, mean, and median) are commonly used for data manipulation and aggregation operations. Each of these functions traverses input data structures recursively to perform their operations, making them susceptible to stack exhaustion attacks when processing maliciously crafted inputs.

Root Cause

The root cause is the absence of recursion depth limits in the affected builtin functions. When these functions process data structures, they recursively descend into nested elements without tracking or limiting the recursion depth. Go's runtime has a finite stack size, and when this limit is exceeded through deep recursion, the runtime triggers a stack overflow panic. Unlike recoverable errors, this panic terminates the process unless caught by panic recovery mechanisms higher in the call stack.

Attack Vector

The attack vector is network-accessible, requiring no authentication or user interaction. An attacker can exploit this vulnerability by injecting or influencing the data structures that are passed to Expr for expression evaluation. The attack is particularly relevant in scenarios where:

  • Expr evaluates expressions against externally supplied or dynamically constructed environments
  • Cyclic references can be introduced into arrays, maps, or structs (directly or indirectly)
  • No application-level safeguards prevent deeply nested input data

The attacker constructs a deeply nested or cyclic data structure and triggers evaluation of an expression that invokes one of the vulnerable builtin functions (such as flatten(malicious_data) or max(nested_array)). When the function attempts to traverse this structure, the unbounded recursion exhausts the stack, causing a process-level crash.

Detection Methods for CVE-2025-68156

Indicators of Compromise

  • Application crashes with Go runtime stack overflow panics during expression evaluation
  • Unexpected process terminations in services using the Expr library
  • Error logs showing panic messages related to stack exhaustion in flatten, min, max, mean, or median functions
  • Unusually deep or cyclic data structures appearing in input data streams

Detection Strategies

  • Monitor application logs for stack overflow panic messages originating from Expr library functions
  • Implement application-level monitoring to detect sudden process terminations during expression evaluation
  • Review input validation logs for deeply nested JSON or data structures being submitted to expression evaluation endpoints
  • Audit dependencies to identify applications using expr-lang/expr versions prior to 1.17.7

Monitoring Recommendations

  • Set up alerting for repeated application crashes or restarts in services utilizing Expr
  • Implement structured logging around expression evaluation calls to capture input characteristics
  • Monitor memory and CPU usage patterns that may indicate recursive processing of malicious inputs
  • Deploy application health checks that detect and report stack overflow conditions

How to Mitigate CVE-2025-68156

Immediate Actions Required

  • Upgrade to Expr version 1.17.7 or later, which includes recursion depth limits for affected builtin functions
  • Audit applications using Expr to identify expression evaluation endpoints that accept external input
  • Implement input validation to reject data structures with excessive nesting depth before passing to Expr
  • Wrap expression evaluation calls with panic recovery as a defensive measure to prevent full process crashes

Patch Information

The vulnerability has been fixed in Expr version 1.17.7. The patch introduces a maximum recursion depth limit for the affected builtin functions (flatten, min, max, mean, and median). When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via builtin.MaxDepth, allowing applications with legitimate deep structures to raise the limit in a controlled manner.

For detailed patch information, refer to the GitHub Pull Request #870 and the GitHub Security Advisory GHSA-cfpf-hrx2-8rv6.

Workarounds

  • Ensure that evaluation environments cannot contain cyclic references by implementing cycle detection before evaluation
  • Validate or sanitize externally supplied data structures before passing them to Expr, enforcing maximum nesting depth limits
  • Wrap expression evaluation with panic recovery using Go's recover() mechanism to prevent full process crashes (as a last-resort defensive measure)
  • Implement rate limiting and request size limits on endpoints that accept data for expression evaluation
bash
# Example: Update expr-lang/expr dependency to patched version
go get github.com/expr-lang/expr@v1.17.7
go mod tidy

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.