{"id":"GO-2025-3525","summary":"Memory Exhaustion in Expr Parser with Unrestricted Input in github.com/expr-lang/expr","details":"Memory Exhaustion in Expr Parser with Unrestricted Input in github.com/expr-lang/expr","aliases":["CVE-2025-29786","GHSA-93mq-9ffx-83m2"],"modified":"2026-03-17T04:49:34.688720Z","published":"2025-03-18T16:33:22Z","related":["CGA-wfwm-4v8m-j6j3"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2025-3525"},"references":[{"type":"ADVISORY","url":"https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2"},{"type":"FIX","url":"https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e"},{"type":"FIX","url":"https://github.com/expr-lang/expr/pull/762"}],"affected":[{"package":{"name":"github.com/expr-lang/expr","ecosystem":"Go","purl":"pkg:golang/github.com/expr-lang/expr"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.17.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Parse","ParseWithConfig","parser.expect","parser.parseArrayExpression","parser.parseCall","parser.parseConditional","parser.parseExpression","parser.parseMapExpression","parser.parsePostfixExpression","parser.parsePrimary","parser.parseSecondary","parser.parseVariableDeclaration","parser.toIntegerNode"],"path":"github.com/expr-lang/expr/parser"},{"symbols":["Run","VM.Run","VM.pop"],"path":"github.com/expr-lang/expr/vm"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3525.json"}}],"schema_version":"1.7.5"}