Security Advisories

This page contains security advisories and CVEs that I have reported and contributed to as an individual security researcher in my personal capacity.

expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input #
Published: 2025-03-16
Identifier * CVE-2025-29786 * GHSA-5pf6-cq2v-23ww
Severity High
CVSS Score 7.5

If the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn't limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to excessive memory usage and an Out-Of-Memory (OOM) crash of the process.

The issue has been fixed in version 1.17.0.

clidey/whodb: Unbounded Memory Consumption #
Published: 2024-12-19
Identifier * GHSA-5pf6-cq2v-23ww
Severity High
CVSS Score 7.5

A Denial of Service (DoS) vulnerability in the authentication middleware allows any client to cause memory exhaustion by sending large request bodies.

The issue has been fixed in version 0.44.0.

← Back to Home