GO-2025-3525

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-3525

Import Source

https://vuln.go.dev/ID/GO-2025-3525.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2025-3525

Aliases

Published

2025-03-18T16:33:22Z

Modified

2025-03-18T17:12:14.836395Z

Summary

Memory Exhaustion in Expr Parser with Unrestricted Input in github.com/expr-lang/expr

Details

Memory Exhaustion in Expr Parser with Unrestricted Input in github.com/expr-lang/expr

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2025-3525",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / github.com/expr-lang/expr

Package

Name: github.com/expr-lang/expr; View open source insights on deps.dev
Purl: pkg:golang/github.com/expr-lang/expr

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.0

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "Parse",
                "ParseWithConfig",
                "parser.expect",
                "parser.parseArrayExpression",
                "parser.parseCall",
                "parser.parseConditional",
                "parser.parseExpression",
                "parser.parseMapExpression",
                "parser.parsePostfixExpression",
                "parser.parsePrimary",
                "parser.parseSecondary",
                "parser.parseVariableDeclaration",
                "parser.toIntegerNode"
            ],
            "path": "github.com/expr-lang/expr/parser"
        },
        {
            "symbols": [
                "Run",
                "VM.Run",
                "VM.pop"
            ],
            "path": "github.com/expr-lang/expr/vm"
        }
    ]
}