Skip to content

Commit d8177bd

Browse files
thatnealpatelgopherbot
thatnealpatel
authored and
gopherbot
committed
data/reports: add GO-2025-3525
 - data/reports/GO-2025-3525.yaml Fixes #3525 Change-Id: I4f074f5205920fb186abd2cc1d841a7365100a18 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/658835 Auto-Submit: Neal Patel <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
1 parent e6a10f5 commit d8177bd

File tree

2 files changed

+125
-0
lines changed

2 files changed

+125
-0
lines changed

data/osv/GO-2025-3525.json

+81
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
{
2+
"schema_version": "1.3.1",
3+
"id": "GO-2025-3525",
4+
"modified": "0001-01-01T00:00:00Z",
5+
"published": "0001-01-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2025-29786",
8+
"GHSA-93mq-9ffx-83m2"
9+
],
10+
"summary": "Memory Exhaustion in Expr Parser with Unrestricted Input in github.com/expr-lang/expr",
11+
"details": "Memory Exhaustion in Expr Parser with Unrestricted Input in github.com/expr-lang/expr",
12+
"affected": [
13+
{
14+
"package": {
15+
"name": "github.com/expr-lang/expr",
16+
"ecosystem": "Go"
17+
},
18+
"ranges": [
19+
{
20+
"type": "SEMVER",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "1.17.0"
27+
}
28+
]
29+
}
30+
],
31+
"ecosystem_specific": {
32+
"imports": [
33+
{
34+
"path": "github.com/expr-lang/expr/parser",
35+
"symbols": [
36+
"Parse",
37+
"ParseWithConfig",
38+
"parser.expect",
39+
"parser.parseArrayExpression",
40+
"parser.parseCall",
41+
"parser.parseConditional",
42+
"parser.parseExpression",
43+
"parser.parseMapExpression",
44+
"parser.parsePostfixExpression",
45+
"parser.parsePrimary",
46+
"parser.parseSecondary",
47+
"parser.parseVariableDeclaration",
48+
"parser.toIntegerNode"
49+
]
50+
},
51+
{
52+
"path": "github.com/expr-lang/expr/vm",
53+
"symbols": [
54+
"Run",
55+
"VM.Run",
56+
"VM.pop"
57+
]
58+
}
59+
]
60+
}
61+
}
62+
],
63+
"references": [
64+
{
65+
"type": "ADVISORY",
66+
"url": "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2"
67+
},
68+
{
69+
"type": "FIX",
70+
"url": "https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e"
71+
},
72+
{
73+
"type": "FIX",
74+
"url": "https://github.com/expr-lang/expr/pull/762"
75+
}
76+
],
77+
"database_specific": {
78+
"url": "https://pkg.go.dev/vuln/GO-2025-3525",
79+
"review_status": "REVIEWED"
80+
}
81+
}

data/reports/GO-2025-3525.yaml

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
id: GO-2025-3525
2+
modules:
3+
- module: github.com/expr-lang/expr
4+
versions:
5+
- fixed: 1.17.0
6+
vulnerable_at: 1.16.9
7+
packages:
8+
- package: github.com/expr-lang/expr/parser
9+
symbols:
10+
- parser.expect
11+
- parser.parseExpression
12+
- parser.parseVariableDeclaration
13+
- parser.parseConditional
14+
- parser.parsePrimary
15+
- parser.parseSecondary
16+
- parser.toIntegerNode
17+
- parser.parseCall
18+
- parser.parseArrayExpression
19+
- parser.parseMapExpression
20+
- parser.parsePostfixExpression
21+
derived_symbols:
22+
- Parse
23+
- ParseWithConfig
24+
- package: github.com/expr-lang/expr/vm
25+
symbols:
26+
- VM.Run
27+
- VM.pop
28+
derived_symbols:
29+
- Run
30+
summary: |-
31+
Memory Exhaustion in Expr Parser with Unrestricted Input in
32+
github.com/expr-lang/expr
33+
cves:
34+
- CVE-2025-29786
35+
ghsas:
36+
- GHSA-93mq-9ffx-83m2
37+
references:
38+
- advisory: https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
39+
- fix: https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e
40+
- fix: https://github.com/expr-lang/expr/pull/762
41+
source:
42+
id: GHSA-93mq-9ffx-83m2
43+
created: 2025-03-18T11:51:46.829184-04:00
44+
review_status: REVIEWED

0 commit comments

Comments
 (0)