- CVE-2025-12735 in expr-eval allows remote code execution via insecure input evaluation
- Vulnerable versions ≤2.0.2; patched in version 2.0.3 and forked in expr-eval-fork 3.0.0
- Developers should clean up variables and avoid untrusted input in evaluation() calls
A widely adopted JavaScript library was found to have a critical vulnerability that could allow malicious actors to execute malicious code remotely.
Security researcher Jangwoo Choe discovered an “insufficient input validation” bug in expr-eval, a library with more than 800,000 weekly downloads on NPM. It parses and evaluates mathematical expressions from strings and allows developers to safely calculate user-entered formulas. Typically, scripting is used in web applications for calculators, data analysis tools, and expression-based logic.
The vulnerability received a severity score of 9.8/10 (critical) and is now tracked as CVE-2025-12735. CERT/CC and industry trackers classify the bug as high impact: saying it is remotely exploitable, requires no user privileges or interaction, and can lead to complete compromise of confidentiality, integrity, and availability.
Fixes and mitigations
“This capability can be exploited to inject malicious code that executes system-level commands, potentially accessing sensitive local resources or exfiltrating data,” a CERT advisory states. “This issue has been fixed via Pull Request #288.”
The root cause of the problem is that the library allows function objects and other dangerous values in the evaluation context, so an attacker who can influence object variables can provide functions that escape the sandbox and execute arbitrary JavaScript.
All versions up to and including 2.0.2 of the library were considered vulnerable, with a fix available in versions 2.0.3 and later.
Users can also mitigate the risk by migrating to the actively maintained expr-eval-fork, version 3.0.0. Users whose applications call estimate() on untrusted user-provided input should also immediately stop feeding untrusted data into them and wrap or sanitize variable objects so that prototype modification functions and fields cannot be injected.
The library enjoys great popularity. According to npmjs.com, it is currently used in over 250 projects.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
