Advisory GHSA-cfpf-hrx2-8rv6 references a vulnerability in the following Go modules:
Description:
Several builtin functions in Expr, including flatten, min, max, mean, and median, perform
recursive traversal over user-provided data structures without enforcing a maximum recursion depth.
If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse
indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host
application to crash.
While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the
evaluation environment, t...
References:
Cross references:
- github.com/expr-lang/expr appears in 1 other report(s):
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/expr-lang/expr
versions:
- fixed: 1.17.7
vulnerable_at: 1.17.6
summary: Expr has Denial of Service via Unbounded Recursion in Builtin Functions in github.com/expr-lang/expr
cves:
- CVE-2025-68156
ghsas:
- GHSA-cfpf-hrx2-8rv6
references:
- advisory: https://github.com/advisories/GHSA-cfpf-hrx2-8rv6
- advisory: https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-68156
- fix: https://github.com/expr-lang/expr/pull/870
source:
id: GHSA-cfpf-hrx2-8rv6
created: 2025-12-16T23:01:25.353708525Z
review_status: UNREVIEWED
Advisory GHSA-cfpf-hrx2-8rv6 references a vulnerability in the following Go modules:
Description:
Several builtin functions in Expr, including
flatten,min,max,mean, andmedian, performrecursive traversal over user-provided data structures without enforcing a maximum recursion depth.
If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse
indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host
application to crash.
While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the
evaluation environment, t...
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.