Listen to this Post
The vulnerability exists in builtin functions (flatten, min, max, mean, median) that recursively traverse user-supplied data structures (arrays, maps) without a depth limit. When Expr evaluates an expression containing these functions on an environment with attacker-controlled, deeply nested or cyclic data, the recursion never terminates. Each recursive call consumes Go runtime stack space. This continues until the stack memory is exhausted, triggering a panic that crashes the entire host application. This provides a reliable Denial-of-Service (DoS) vector if an attacker can inject such pathological data into the evaluation context.
Platform: Expr
Version: < v1.17.7
Vulnerability: Recursion Depth Limit
Severity: Critical
Date: 2024
Prediction: Patch Released
What Undercode Say:
go list -m github.com/expr-lang/expr cat go.mod | grep expr
// Example of vulnerable call
env := map[bash]interface{}{
"malicious": createDeeplyNestedArray(100000),
}
output, err := expr.Eval("max(malicious)", env)
Simulating crash
curl -X POST https://app.com/eval -d '{"expr":"flatten(data)", "env":{"data":[[[...]]]}}'
How Exploit:
Craft cyclic data structures or extremely deep nested arrays/maps. Inject into evaluation environment. Call vulnerable builtin (flatten(data)).
Protection from this CVE
Upgrade to v1.17.7. Implement input validation/sanitization. Use panic recovery middleware.
Impact:
Application Crash, Denial-of-Service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

