CVE-2025-68156

Name of the Vulnerable Software and Affected Versions Expr versions prior to 1.17.7

Description The Expr library, used for expression language and evaluation in Go, contains a flaw where certain builtin functions – including flatten, min, max, mean, and median – can cause a denial of service. These functions recursively traverse user-provided data structures without a maximum recursion depth limit. If the evaluation environment includes deeply nested or cyclic data structures, these functions may recurse indefinitely, leading to a stack overflow panic and application crash. The issue is most relevant when evaluating expressions against externally supplied or dynamically constructed environments. The problem is resolved by introducing a maximum recursion depth limit in version 1.17.7, which returns an error instead of panicking when exceeded. The maximum depth can be customized using builtin.MaxDepth.

Recommendations Upgrade to Expr version 1.17.7 or later. Ensure evaluation environments do not contain cyclic references. Validate or sanitize externally supplied data structures before passing them to Expr. Wrap expression evaluation with panic recovery as a last-resort defensive measure.