Security Bulletin: IBM Cloud Pak for Data is vulnerable to service disruption due to memory exhaustion vulnerability in expression parser

Summary Potential vulnerabilities in github.com/Expr-lang/expr module CVE-2025-29786 have been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-29786 DESCRIPTION: Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if th...

RLSA-2025:7479 Important: opentelemetry-collector security update

Collector with the supported components for a Rocky Enterprise Software Foundation build of OpenTelemetry Security Fixes: go-jose: Go JOSE's Parsing Vulnerable to Denial of Service CVE-2025-27144 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jw...

RHEL 10 : opentelemetry-collector (RHSA-2025:7479)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2025:7479 advisory. Collector with the supported components for a Red Hat build of OpenTelemetry Security Fixes: go-jose: Go JOSE's Parsing Vulnerable to Denia...

argocd-cli-2.14.10-1.1 on GA media (moderate)

argocd-cli-2.14.10-1.1 on GA media Announcement ID: openSUSE-SU-2025:15006-1 Rating: moderate Cross-References: CVE-2025-29786 CVSS scores: CVE-2025-29786 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-29786 SUSE : 8.2...

Azure Linux 3.0 Security Update: coredns / ig / keda (CVE-2025-29786)

The version of coredns / ig / keda installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-29786 advisory. - Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if th...

CVE-2025-29786 affecting package coredns for versions less than 1.11.1-17

CVE-2025-29786 affecting package coredns for versions less than 1.11.1-17. A patched version of the package is available...

RHEL 9 : opentelemetry-collector (RHSA-2025:3335)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2025:3335 advisory. Collector with the supported components for a Red Hat build of OpenTelemetry Security Fixes: golang: net/http: net/http: sensitive headers...

CVE-2025-29786 affecting package ig for versions less than 0.37.0-3

CVE-2025-29786 affecting package ig for versions less than 0.37.0-3. A patched version of the package is available...

CVE-2025-29786 affecting package keda for versions less than 2.14.1-4

CVE-2025-29786 affecting package keda for versions less than 2.14.1-4. A patched version of the package is available...

CVE-2025-29786 affecting package coredns for versions less than 1.11.4-4

CVE-2025-29786 affecting package coredns for versions less than 1.11.4-4. A patched version of the package is available...

CVE-2025-29786 vulnerabilities

Vulnerabilities for packages: opentelemetry-collector, nats, argo-rollouts, k8sgpt, kargo, splunk-otel-collector, tempo, kubeflow-pipelines, argo-workflows, argo-cd, coredns, grafana-alloy, opentelemetry-collector-contrib, amazon-cloudwatch-agent...

SUSE CVE-2025-29786

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree AST node for each part of the expression. In scenarios wher...

CVE-2025-29786

A flaw was found in Expr. This vulnerability allows excessive memory usage and potential out-of-memory OOM crashes via unbounded input strings, where a malicious or inadvertent large expression can cause the parser to construct an extremely large Abstract Syntax Tree AST, consuming excessive...

CVE-2025-29786

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree AST node for each part of the expression. In scenarios wher...

CVE-2025-29786 Memory Exhaustion in Expr Parser with Unrestricted Input

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree AST node for each part of the expression. In scenarios wher...

CVE-2025-29786

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree AST node for each part of the expression. In scenarios wher...