7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-29786

GHSA ID

GHSA-93mq-9ffx-83m2

EPSS Score

0.08318%

CWE

CWE-770

Published

3/17/2025

Updated

3/17/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-29786

CVE-2025-29786: Memory Exhaustion in Expr Parser with Unrestricted Input

Impact

If the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur.

Patches

The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition.

Workarounds

For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, you can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.

References

#762

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-29786

CVE-2025-29786:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-29786

GHSA ID

GHSA-93mq-9ffx-83m2

EPSS Score

0.08318%

CWE

CWE-770

Published

3/17/2025

Updated

3/17/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/expr-lang/expr	go	< 1.17.0	1.17.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is due to unrestricted AST node creation during parsing, leading to memory exhaustion. The patch (commit 0d19441454426d2f58edb22c31f3ba5f99c7a26e) introduces a node budget (MaxNodes in conf.Config) and modifies the parser to check this budget during node creation.

The core changes are in parser/parser.go:

A nodeCount field was added to the parser struct.
New methods checkNodeLimit, createNode, and createMemberNode were added to the parser struct. These methods increment nodeCount and check against config.MaxNodes.
Numerous parsing methods (e.g., parseExpression, parsePrimary, parseCall, parseMapExpression, etc.) were modified. Previously, they created AST nodes directly (e.g., &NodeType{...}). After the patch, they now call p.createNode(...) or p.createMemberNode(...) which incorporate the limit check.

Therefore, all these parse* methods within parser/parser.go that were changed to use the new node creation wrappers were the functions that, before the patch, would have created AST nodes without any limits, directly contributing to the memory exhaustion vulnerability when processing a large input string. The top-level functions Parse and ParseWithConfig are the entry points that initiate this vulnerable parsing process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-29786: Memory Exhaustion in Expr Parser with Unrestricted Input

Impact

Patches

Workarounds

References

CVE-2025-29786:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

7.5

7.5

CVE-2025-29786: Memory Exhaustion in Expr Parser with Unrestricted Input

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI