CVE-2025-29786

Name of the Vulnerable Software and Affected Versions Expr versions prior to 1.17.0

Description The issue arises when the Expr expression parser is given an unbounded input string, causing it to attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. This can lead to excessive memory usage and an Out-Of-Memory (OOM) crash of the process. The problem is relatively uncommon and only occurs when there are no restrictions on the input size. The estimated number of potentially affected devices is not provided.

Recommendations For Expr versions prior to 1.17.0, upgrade to Expr version 1.17.0 or later, as this release includes new node budget and memory limit safeguards. For users who cannot immediately upgrade, impose an input size restriction before parsing by validating or limiting the length of expression strings that your application will accept, and reject or truncate inputs that exceed this limit.