Expr Vulnerability

HIGH (7.5) Workaround Available
cwe-770apachedenial-of-serviceexprgovulnerability-type

Threat Intelligence

Medium Risk - Detectable
EPSS Score: 0.05% chance of exploitation (percentile: 17%)
🔍 Detection Tools: OSV.dev
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Expr is an expression language and expression evaluation for Go. It provides a way to evaluate mathematical expressions against user-provided data structures. While Expr can be useful in certain scenarios, its lack of built-in safeguards makes it vulnerable to recursive traversal attacks, which can lead to a denial-of-service (DoS) risk.

Am I affected?

You're affected if you use Expr version 1.17.6 or earlier. To check if your installation is affected, run the following command:

go list -m expr

Note that this vulnerability does not affect similar products like other expression evaluation libraries for Go.

Affected Packages

go: github.com/expr-lang/expr

Affected Products

aEnrich / a+HRD

How to fix

To fix this vulnerability, upgrade to Expr version 1.17.7 or later. You can download the patch from the official GitHub repository: https://github.com/expr-lang/expr/pull/870

Immediate mitigations:

  • Ensure that evaluation environments cannot contain cyclic references.
  • Validate or sanitize externally supplied data structures before passing them to Expr.
  • Wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure).

References