microsoft · jslobodzian · Dec 26, 2025 · Dec 19, 2025 · Dec 22, 2025 · Dec 22, 2025
@@ -0,0 +1,150 @@
+From 6f26d5402b43cb7d71044ab0d7d444fbfb148b47 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Fri, 19 Dec 2025 10:48:43 +0000
+Subject: [PATCH] fix(builtin): limit recursion depth
+
+Add builtin.MaxDepth (default 10k) to prevent stack overflows when
+processing deeply nested or cyclic structures in builtin functions.
+The functions flatten, min, max, mean, and median now return a
+"recursion depth exceeded" error instead of crashing the runtime.
+
+Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/expr-lang/expr/pull/870.patch
+---
+ .../expr-lang/expr/builtin/builtin.go         | 13 ++++++----
+ .../github.com/expr-lang/expr/builtin/lib.go  | 24 ++++++++++++++-----
+ 2 files changed, 27 insertions(+), 10 deletions(-)
+
+diff --git a/vendor/github.com/expr-lang/expr/builtin/builtin.go b/vendor/github.com/expr-lang/expr/builtin/builtin.go
+index efc01fc2..3fcf4118 100644
+--- a/vendor/github.com/expr-lang/expr/builtin/builtin.go
++++ b/vendor/github.com/expr-lang/expr/builtin/builtin.go
+@@ -3,6 +3,7 @@ package builtin
+ import (
+ 	"encoding/base64"
+ 	"encoding/json"
++	"errors"
+ 	"fmt"
+ 	"reflect"
+ 	"sort"
+@@ -16,6 +17,10 @@ import (
+ var (
+ 	Index map[string]int
+ 	Names []string
++
++	// MaxDepth limits the recursion depth for nested structures.
++	MaxDepth      = 10000
++	ErrorMaxDepth = errors.New("recursion depth exceeded")
+ )
+
+ func init() {
+@@ -377,7 +382,7 @@ var Builtins = []*Function{
+ 	{
+ 		Name: "max",
+ 		Func: func(args ...any) (any, error) {
+-			return minMax("max", runtime.Less, args...)
++			return minMax("max", runtime.Less, 0, args...)
+ 		},
+ 		Validate: func(args []reflect.Type) (reflect.Type, error) {
+ 			return validateAggregateFunc("max", args)
+@@ -386,7 +391,7 @@ var Builtins = []*Function{
+ 	{
+ 		Name: "min",
+ 		Func: func(args ...any) (any, error) {
+-			return minMax("min", runtime.More, args...)
++			return minMax("min", runtime.More, 0, args...)
+ 		},
+ 		Validate: func(args []reflect.Type) (reflect.Type, error) {
+ 			return validateAggregateFunc("min", args)
+@@ -395,7 +400,7 @@ var Builtins = []*Function{
+ 	{
+ 		Name: "mean",
+ 		Func: func(args ...any) (any, error) {
+-			count, sum, err := mean(args...)
++			count, sum, err := mean(0, args...)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+@@ -411,7 +416,7 @@ var Builtins = []*Function{
+ 	{
+ 		Name: "median",
+ 		Func: func(args ...any) (any, error) {
+-			values, err := median(args...)
++			values, err := median(0, args...)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+diff --git a/vendor/github.com/expr-lang/expr/builtin/lib.go b/vendor/github.com/expr-lang/expr/builtin/lib.go
+index e3cd61b9..d9b9a3d8 100644
+--- a/vendor/github.com/expr-lang/expr/builtin/lib.go
++++ b/vendor/github.com/expr-lang/expr/builtin/lib.go
+@@ -258,7 +258,11 @@ func String(arg any) any {
+ 	return fmt.Sprintf("%v", arg)
+ }
+
+-func minMax(name string, fn func(any, any) bool, args ...any) (any, error) {
++func minMax(name string, fn func(any, any) bool, depth int, args ...any) (any, error) {
++	if depth > MaxDepth {
++		return nil, ErrorMaxDepth
++	}
++
+ 	var val any
+ 	for _, arg := range args {
+ 		rv := reflect.ValueOf(deref.Deref(arg))
+@@ -266,7 +270,7 @@ func minMax(name string, fn func(any, any) bool, args ...any) (any, error) {
+ 		case reflect.Array, reflect.Slice:
+ 			size := rv.Len()
+ 			for i := 0; i < size; i++ {
+-				elemVal, err := minMax(name, fn, rv.Index(i).Interface())
++				elemVal, err := minMax(name, fn, depth+1, rv.Index(i).Interface())
+ 				if err != nil {
+ 					return nil, err
+ 				}
+@@ -299,7 +303,11 @@ func minMax(name string, fn func(any, any) bool, args ...any) (any, error) {
+ 	return val, nil
+ }
+
+-func mean(args ...any) (int, float64, error) {
++func mean(depth int, args ...any) (int, float64, error) {
++	if depth > MaxDepth {
++		return 0, 0, ErrorMaxDepth
++	}
++
+ 	var total float64
+ 	var count int
+
+@@ -309,7 +317,7 @@ func mean(args ...any) (int, float64, error) {
+ 		case reflect.Array, reflect.Slice:
+ 			size := rv.Len()
+ 			for i := 0; i < size; i++ {
+-				elemCount, elemSum, err := mean(rv.Index(i).Interface())
++				elemCount, elemSum, err := mean(depth+1, rv.Index(i).Interface())
+ 				if err != nil {
+ 					return 0, 0, err
+ 				}
+@@ -332,7 +340,11 @@ func mean(args ...any) (int, float64, error) {
+ 	return count, total, nil
+ }
+
+-func median(args ...any) ([]float64, error) {
++func median(depth int, args ...any) ([]float64, error) {
++	if depth > MaxDepth {
++		return nil, ErrorMaxDepth
++	}
++
+ 	var values []float64
+
+ 	for _, arg := range args {
+@@ -341,7 +353,7 @@ func median(args ...any) ([]float64, error) {
+ 		case reflect.Array, reflect.Slice:
+ 			size := rv.Len()
+ 			for i := 0; i < size; i++ {
+-				elems, err := median(rv.Index(i).Interface())
++				elems, err := median(depth+1, rv.Index(i).Interface())
+ 				if err != nil {
+ 					return nil, err
+ 				}
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        Kubernetes-based Event Driven Autoscaling
 Name:           keda
 Version:        2.14.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -32,6 +32,7 @@ Patch6:         CVE-2025-29923.patch
 Patch7:         CVE-2025-22870.patch
 Patch8:         CVE-2024-51744.patch
 Patch9:         CVE-2025-22872.patch
+Patch10:        CVE-2025-68156.patch
 BuildRequires:  golang >= 1.15
 
 %description
@@ -67,6 +68,9 @@ cp ./bin/keda-admission-webhooks %{buildroot}%{_bindir}
 %{_bindir}/%{name}-admission-webhooks
 
 %changelog
+* Fri Dec 19 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.14.1-8
+- Patch for CVE-2025-68156
+
 * Fri Apr 25 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.14.1-7
 - Patch CVE-2025-22872