x/vulndb: potential Go vuln in github.com/expr-lang/expr: CVE-2025-29786

[GoVulnBot]

Advisory CVE-2025-29786 references a vulnerability in the following Go modules:

Module
github.com/expr-lang/expr

Description:
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifes...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-29786
• FIX: feat: add node budget and memory limits expr-lang/expr#762
• WEB: GHSA-93mq-9ffx-83m2

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/expr-lang/expr
      vulnerable_at: 1.17.0
summary: CVE-2025-29786 in github.com/expr-lang/expr
cves:
    - CVE-2025-29786
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-29786
    - fix: https://github.com/expr-lang/expr/pull/762
    - web: https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2
source:
    id: CVE-2025-29786
    created: 2025-03-17T15:01:26.595720951Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/658835 mentions this issue: data/reports: add GO-2025-3525