cvedb.io
CVE-2025-68156
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-12-16T19:16:00.567 · Last modified 2026-06-17T09:58:39.070

Summary

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recove

Affected products

expr-lang — expr

Does this affect you?

Add your gear to cvedb and we'll alert you only when expr-lang ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.