CVE-2025-29786: 
Amazon CloudWatch Agent vulnerability analysis and mitigation

Expr, an expression language and evaluation library for Go, was found to contain a vulnerability (CVE-2025-29786) prior to version 1.17.0. The issue was discovered and disclosed on March 17, 2025, affecting the expression parser component when handling unbounded input strings (NVD, GitHub Advisory).

The vulnerability occurs when the Expr expression parser processes an unbounded input string. The parser attempts to compile the entire string and generates an Abstract Syntax Tree (AST) node for each part of the expression. Without input size restrictions, this can lead to the construction of an extremely large AST. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

When exploited, this vulnerability can result in excessive memory usage and ultimately lead to an Out-Of-Memory (OOM) crash of the process. The impact is primarily on system availability, with no direct effect on confidentiality or integrity. This issue is most relevant in scenarios where input size isn't limited and the expression length is allowed to grow arbitrarily large (GitHub Advisory).

The vulnerability has been patched in Expr version 1.17.0, which introduces compile-time limits on the number of AST nodes and memory usage during parsing. For users who cannot immediately upgrade, the recommended workaround is to implement input size restrictions before parsing. This can be done by validating or limiting the length of expression strings that the application accepts, effectively preventing the parser from constructing pathologically large ASTs (GitHub Advisory).