CVE-2025-68156
Unknown Unknown - Not Provided
Stack Overflow DoS in Expr Builtin Functions via Recursive Calls

Publication date: 2025-12-16

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2026-03-05
Generated
2026-05-07
AI Q&A
2025-12-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68156
EUVD
EUVD-2025-203831
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
expr-lang expr to 1.17.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-68156 is a denial-of-service (DoS) vulnerability in the Go package Expr, affecting versions prior to 1.17.7. Several builtin functions like flatten, min, max, mean, and median perform recursive traversal over user-supplied data structures without limiting recursion depth. If these functions encounter deeply nested or cyclic data structures, they can recurse indefinitely, causing a stack overflow panic that crashes the host application. This vulnerability arises when Expr evaluates expressions against untrusted or dynamically constructed data containing cyclic references or very deep nesting, leading to process crashes instead of recoverable errors. [1, 2]


How can this vulnerability impact me? :

This vulnerability can cause your application to crash unexpectedly due to a stack overflow panic when Expr evaluates expressions involving deeply nested or cyclic data structures. This results in a denial-of-service (DoS) condition, making the application unavailable. The crash occurs at the process level, which means the entire host application can terminate, impacting availability and reliability. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for application crashes or stack overflow panics when Expr evaluates expressions involving the affected builtin functions (flatten, min, max, mean, median) on user-supplied data. Detection involves checking if the application logs show stack overflow panics or crashes related to recursive evaluation. Since the issue arises from deeply nested or cyclic data structures causing infinite recursion, you can test by supplying crafted expressions with cyclic or deeply nested data to the Expr evaluation environment and observing if the application crashes. There are no specific commands provided in the resources, but wrapping expression evaluation with panic recovery and logging errors can help detect attempts to exploit this vulnerability. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Upgrade Expr to version 1.17.7 or later, which includes a maximum recursion depth limit and prevents stack overflow panics. 2) If upgrading is not immediately possible, ensure that evaluation environments do not contain cyclic references by validating or sanitizing externally supplied data structures before evaluation. 3) Wrap expression evaluation calls with panic recovery to prevent full process crashes as a last-resort defensive measure. These mitigations reduce risk but do not fully eliminate it without the patch. Additionally, users can customize the maximum recursion depth via the builtin.MaxDepth parameter in the patched version to balance between robustness and legitimate deep data structures. [1, 2]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability primarily causes a denial-of-service (DoS) by crashing the host application due to stack overflow from unbounded recursion. It does not impact confidentiality or integrity of data, only availability. While availability is a component of many compliance standards like GDPR and HIPAA, the provided information does not explicitly state any direct compliance impact or regulatory violations caused by this vulnerability. Therefore, the effect on compliance depends on how the affected application is used and whether availability disruptions violate specific regulatory requirements. No direct compliance impact is detailed in the provided resources. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart