Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-chwd-qyet-4qbz
Vulnerability ID VCID-chwd-qyet-4qbz
Aliases CVE-2025-29786
GHSA-93mq-9ffx-83m2
Summary Memory Exhaustion in Expr Parser with Unrestricted Input ### Impact If the Expr expression parser is given an **unbounded input string**, it will attempt to compile the *entire* string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to **excessive memory usage** and an **Out-Of-Memory (OOM) crash** of the process. This issue is relatively uncommon and will only manifest when there are **no restrictions on the input size**, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. ### Patches The problem has been **patched** in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to **Expr version 1.17.0 or later**, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. ### Workarounds For users who cannot immediately upgrade, the recommended workaround is to **impose an input size restriction before parsing**. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, you can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, **pre-validate and cap input size** as a safeguard in the absence of the patch. ### References - #762
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-770 Allocation of Resources Without Limits or Throttling
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-29786.json
epss 0.00095 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00095 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2025-29786
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://github.com/expr-lang/expr
generic_textual HIGH https://github.com/expr-lang/expr
cvssv3.1 7.5 https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e
generic_textual HIGH https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e
ssvc Track https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e
cvssv3.1 7.5 https://github.com/expr-lang/expr/pull/762
generic_textual HIGH https://github.com/expr-lang/expr/pull/762
ssvc Track https://github.com/expr-lang/expr/pull/762
cvssv3.1 7.5 https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
generic_textual HIGH https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
ssvc Track https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-29786
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-29786
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-29786.json
https://api.first.org/data/v1/epss?cve=CVE-2025-29786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29786
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/expr-lang/expr
https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e
https://github.com/expr-lang/expr/pull/762
https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
https://nvd.nist.gov/vuln/detail/CVE-2025-29786
1103788 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103788
2352914 https://bugzilla.redhat.com/show_bug.cgi?id=2352914
RHSA-2025:3335 https://access.redhat.com/errata/RHSA-2025:3335
RHSA-2025:3593 https://access.redhat.com/errata/RHSA-2025:3593
RHSA-2025:3740 https://access.redhat.com/errata/RHSA-2025:3740
RHSA-2025:3743 https://access.redhat.com/errata/RHSA-2025:3743
RHSA-2025:3993 https://access.redhat.com/errata/RHSA-2025:3993
RHSA-2025:7407 https://access.redhat.com/errata/RHSA-2025:7407
RHSA-2025:7479 https://access.redhat.com/errata/RHSA-2025:7479
RHSA-2025:9167 https://access.redhat.com/errata/RHSA-2025:9167
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-29786.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/expr-lang/expr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-17T13:29:22Z/ Found at https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/expr-lang/expr/pull/762
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-17T13:29:22Z/ Found at https://github.com/expr-lang/expr/pull/762
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-17T13:29:22Z/ Found at https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-29786
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.26175
EPSS Score 0.00095
Published At April 26, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:56:09.530164+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-93mq-9ffx-83m2/GHSA-93mq-9ffx-83m2.json 38.0.0