Expr, Stack Overflow, CVE-2024-42376 (Critical)

Listen to this Post

The vulnerability exists in builtin functions (flatten, min, max, mean, median) that recursively traverse user-supplied data structures (arrays, maps) without a depth limit. When Expr evaluates an expression containing these functions on an environment with attacker-controlled, deeply nested or cyclic data, the recursion never terminates. Each recursive call consumes Go runtime stack space. This continues until the stack memory is exhausted, triggering a panic that crashes the entire host application. This provides a reliable Denial-of-Service (DoS) vector if an attacker can inject such pathological data into the evaluation context.
Platform: Expr
Version: < v1.17.7
Vulnerability: Recursion Depth Limit
Severity: Critical
Date: 2024

Prediction: Patch Released

What Undercode Say:

go list -m github.com/expr-lang/expr
cat go.mod | grep expr
// Example of vulnerable call
env := map[bash]interface{}{
"malicious": createDeeplyNestedArray(100000),
}
output, err := expr.Eval("max(malicious)", env)
Simulating crash
curl -X POST https://app.com/eval -d '{"expr":"flatten(data)", "env":{"data":[[[...]]]}}'

How Exploit:

Craft cyclic data structures or extremely deep nested arrays/maps. Inject into evaluation environment. Call vulnerable builtin (flatten(data)).

Protection from this CVE

Upgrade to v1.17.7. Implement input validation/sanitization. Use panic recovery middleware.

Impact:

Application Crash, Denial-of-Service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top