Expr Stack Exhaustion Vulnerability in Builtin Functions Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Expr expression language for Go, affecting versions prior to 1.17.7. Several builtin functions, including flatten, min, max, mean, and median, recursively traverse user-defined data structures without a maximum recursion depth limit. This can lead to indefinite recursion in the presence of deeply nested or cyclic data, causing a stack overflow panic that crashes the host application. The issue represents a robustness risk for the library, as it can be exploited to reliably terminate processes, especially when Expr evaluates expressions with untrusted or poorly validated data structures.

Impact

Exploitation of this vulnerability causes a process-level crash due to stack exhaustion, creating a denial-of-service condition. The panic from the stack overflow is unrecoverable, leading to an unexpected termination of the application.

Remediation

Users are strongly encouraged to upgrade to Expr version 1.17.7 or later, which includes a maximum recursion depth limit for the affected builtin functions. This update allows for safe evaluation of expressions by preventing stack overflows from deeply nested or cyclic data structures. For those who cannot upgrade immediately, it is recommended to validate or sanitize data structures before passing them to Expr, ensure that evaluation environments are free of cyclic references, and wrap expression evaluations with panic recovery as a last-resort defensive measure.