High severity7.5OSV Advisory· Published Oct 10, 2025· Updated Apr 15, 2026
CVE-2025-62162
CVE-2025-62162
Description
cel-rust is a Common Expression Language interpreter written in Rust. Starting in version 0.10.0 and prior to version 0.11.4, parsing certain malformed CEL expressions can cause the parser to panic, terminating the process. When the crate is used to evaluate untrusted expressions (e.g., user-supplied input over an API), an attacker can send crafted input to trigger a denial of service (DoS). Version 0.11.4 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
celcrates.io | >= 0.10.0, < 0.11.4 | 0.11.4 |
Affected products
1Patches
19df9822d81d9fix(parser): Gets rid of ever invoking Visitable with no impl
2 files changed · +10 −4
cel/src/parser/gen/celparser.rs+9 −3 modified@@ -2128,7 +2128,9 @@ impl<'input> Deref for MemberContextAll<'input> { } impl<'input, 'a> Visitable<dyn CELVisitor<'input> + 'a> for MemberContextAll<'input> { fn accept(&self, visitor: &mut (dyn CELVisitor<'input> + 'a)) { - self.deref().accept(visitor) + if !matches!(self, MemberContextAll::Error(_)) { + self.deref().accept(visitor) + } } } impl<'input, 'a> Listenable<dyn CELListener<'input> + 'a> for MemberContextAll<'input> { @@ -5203,7 +5205,9 @@ impl<'input> Deref for EscapeIdentContextAll<'input> { } impl<'input, 'a> Visitable<dyn CELVisitor<'input> + 'a> for EscapeIdentContextAll<'input> { fn accept(&self, visitor: &mut (dyn CELVisitor<'input> + 'a)) { - self.deref().accept(visitor) + if !matches!(self, EscapeIdentContextAll::Error(_)) { + self.deref().accept(visitor) + } } } impl<'input, 'a> Listenable<dyn CELListener<'input> + 'a> for EscapeIdentContextAll<'input> { @@ -5660,7 +5664,9 @@ impl<'input> Deref for LiteralContextAll<'input> { } impl<'input, 'a> Visitable<dyn CELVisitor<'input> + 'a> for LiteralContextAll<'input> { fn accept(&self, visitor: &mut (dyn CELVisitor<'input> + 'a)) { - self.deref().accept(visitor) + if !matches!(self, LiteralContextAll::Error(_)) { + self.deref().accept(visitor) + } } } impl<'input, 'a> Listenable<dyn CELListener<'input> + 'a> for LiteralContextAll<'input> {
cel/src/parser/parser.rs+1 −1 modified@@ -1059,7 +1059,7 @@ mod tests { #[test] fn test_bad_input() { - let expressions = ["1 + ()", "/", ".", "@foo"]; + let expressions = ["1 + ()", "/", ".", "@foo", "x(1,)"]; for expr in expressions { assert!( Parser::new().parse(expr).is_err(),
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-wxwx-9fh7-5mrwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62162ghsaADVISORY
- github.com/cel-rust/cel-rust/commit/9df9822d81d91a3ce0fc9f712f4574a659247be3ghsaWEB
- github.com/cel-rust/cel-rust/releases/tag/cel-v0.11.4nvdWEB
- github.com/cel-rust/cel-rust/security/advisories/GHSA-wxwx-9fh7-5mrwnvdWEB
News mentions
0No linked articles in our index yet.