- CVE-2025-12735 in expr-eval allows remote code execution via insecure input evaluation
- Vulnerable versions ≤2.0.2; patched in 2.0.3 and forked in expr-eval-fork 3.0.0
- Developers should sanitize variables and avoid untrusted input in evaluate() calls
A widely adopted JavaScript library has been discovered to have a critical vulnerability that could allow threat actors to execute malicious code remotely.
Security researcher Jangwoo Choe discovered an “insufficient input validation” bug in expr-eval, a library with over 800,000 weekly downloads on NPM. Parses and evaluates mathematical expressions from strings and allows developers to safely calculate user-entered formulas. The script is generally used in web applications for calculators, data analysis tools, and expression-based logic.
The vulnerability received a severity score of 9.8/10 (critical) and is now tracked as CVE-2025-12735. CERT/CC and industry trackers classify the bug as high-impact: they say it is remotely exploitable, requires no privileges or user interaction, and can compromise complete confidentiality, integrity, and availability.
Fixes and mitigations
“This capability can be exploited to inject malicious code that executes system-level commands, potentially accessing sensitive local resources or exfiltrating data,” reads a CERT advisory. “This issue was fixed by pull request #288.”
The root cause of the issue arises from the library allowing function objects and other dangerous values in the evaluation context, so an attacker who can influence the variables object can provide functions that escape the sandbox and execute arbitrary JavaScript.
All versions of the library up to and including 2.0.2 were said to be vulnerable, and a fix was available in versions 2.0.3 and later.
Users can also mitigate risk by migrating to the actively maintained fork expr-eval-fork, version 3.0.0. Users whose applications call evaluate() on untrusted user-supplied input should also immediately stop entering untrusted data and wrap or sanitize variable objects so that no prototype modification fields or functions can be injected.
The library is very popular. According to npmjs.com, it is currently used in more than 250 projects.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
