- CVE-2025-12735 in expr-eval allows remote code execution via insecure input evaluation
- Vulnerable versions ≤2.0.2; patched in 2.0.3 and forked in expr-eval-fork 3.0.0
- Developers should sanitize variables and avoid unreliable inputs in evaluate() calls
A widespread JavaScript library has been found with a critical vulnerability that could allow threat actors to execute malicious code remotely.
Security researcher Jangwoo Choe discovered an “insufficient input validation” bug in expr-eval, a library with more than 800,000 weekly downloads on NPM. It parses and evaluates mathematical expressions from strings and allows developers to safely calculate user-entered formulas. Generally, the script is used in web apps for calculators, data analysis tools, and expression-based logic.
The vulnerability was given a severity rating of 9.8/10 (Critical) and is now tracked as CVE-2025-12735. CERT/CC and industry trackers classify the flaw as high-impact: claiming it can be remotely exploited, requires no privileges or user interaction, and can lead to full confidentiality, integrity and availability.
Corrections and remedies
“This capability could be exploited to inject malicious code that executes system-level commands, potentially accessing sensitive local resources or exfiltrating data,” reads a CERT advisory. “This issue has been fixed via Pull Request #288.”
The root cause of the problem stems from the library allowing function objects and other dangerous values in the evaluation context, so an attacker who can affect the variable object can provide functions that escape the sandbox and execute arbitrary JavaScript.
All versions up to and including 2.0.2 of the library were said to be vulnerable, with a fix available on version 2.0.3 and later.
Users can also mitigate the risk by migrating to the actively maintained fork expr-eval-fork, version 3.0.0. Users whose apps call evaluate() on user-supplied and otherwise untrusted input should also immediately stop feeding untrusted data into it and wrap or sanitize variable objects so that functions and prototype modifier fields cannot be injected.
The library enjoys great popularity. According to npmjs.com, it is currently used in more than 250 projects.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
