- CVE-2025-12735 in expr-eval allows remote code execution via unsafe input evaluation
- Vulnerable versions ≤2.0.2; patched in 2.0.3 and forked in expr-eval-fork 3.0.0
- Developers should sanitize variables and avoid untrusted input in evaluate() calls
A widely-adopted JavaScript library has been found carrying a critical vulnerability which could allow threat actors to execute malicious code, remotely.
Security researcher Jangwoo Choe discovered an “insufficient input validation” bug in expr-eval, a library with more than 800,000 weekly downloads on NPM. It parses and evaluates mathematical expressions from strings, and allows developers to safely compute user-entered formulas. Generally, the script is used in web apps for calculators, data analysis tools, and expression-based logic.
The vulnerability was given a severity score of 9.8/10 (critical) and is now tracked as CVE-2025-12735. CERT/CC and industry trackers classify the bug as high‑impact: claiming it is remotely exploitable, requires no privileges or user interaction, and can lead to full confidentiality, integrity and availability compromise.
Fixes and mitigations
“This capability can be exploited to inject malicious code that executes system-level commands, potentially accessing sensitive local resources or exfiltrating data,” a CERT advisory reads. “This issue has been patched via Pull Request #288.”
The root cause of the issue stems from the library allowing function objects and other dangerous values into the evaluation context, so an attacker who can influence the variables object can supply functions that escape the sandbox and execute arbitrary JavaScript.
All versions up to, and including 2.0.2 of the library were said to be vulnerable, with a fix being available at versions 2.0.3 and later.
Users can also mitigate the risk by migrating to the actively maintained fork expr-eval-fork, version 3.0.0. Users whose apps call evaluate() on user-supplied and otherwise untrusted input should also immediately stop feeding untrusted data into it, and wrap or sanitize variables objects so functions and prototype modification fields cannot be injected.
The library enjoys widespread popularity. According to npmjs.com, it is currently used in more than 250 projects.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
