Critical RCE flaw in expr-eval JavaScript library

First reported

10.11.2025 20:32

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical remote code execution (RCE) vulnerability (CVE-2025-12735) in the expr-eval JavaScript library, with over 800,000 weekly downloads, allows attackers to execute code via malicious input. The flaw stems from insufficient validation in the Parser.evaluate() function. The vulnerability affects both the original expr-eval and its fork, expr-eval-fork, impacting over 250 projects. A patch is available in expr-eval-fork v3.0.0, enforcing an allowlist of safe functions and improved test coverage.

Timeline

10.11.2025 20:32 1 articles · 23h ago

Critical RCE flaw in expr-eval JavaScript library disclosed
A critical remote code execution (RCE) vulnerability (CVE-2025-12735) in the expr-eval JavaScript library, with over 800,000 weekly downloads, allows attackers to execute code via malicious input. The flaw stems from insufficient validation in the Parser.evaluate() function. The vulnerability affects both the original expr-eval and its fork, expr-eval-fork, impacting over 250 projects. A patch is available in expr-eval-fork v3.0.0, enforcing an allowlist of safe functions and improved test coverage.
Show sources

Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32
Open in new tab

Information Snippets

The vulnerability is tracked as CVE-2025-12735 with a CVSS score of 9.8.
First reported: 10.11.2025 20:32

1 source, 1 article
Show sources
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32
The flaw is due to insufficient validation of variables/context objects passed to the Parser.evaluate() function.
First reported: 10.11.2025 20:32

1 source, 1 article
Show sources
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32
The vulnerability affects both the original expr-eval and its fork, expr-eval-fork.
First reported: 10.11.2025 20:32

1 source, 1 article
Show sources
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32
The library is used in over 250 projects, including online calculators, educational suites, and AI/NLP systems.
First reported: 10.11.2025 20:32

1 source, 1 article
Show sources
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32
A patch is available in expr-eval-fork v3.0.0, enforcing an allowlist of safe functions and improved test coverage.
First reported: 10.11.2025 20:32

1 source, 1 article
Show sources
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32
The original expr-eval project maintainers are unresponsive, delaying a fix for that version.
First reported: 10.11.2025 20:32

1 source, 1 article
Show sources
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32

Summary

Timeline

Critical RCE flaw in expr-eval JavaScript library disclosed

Information Snippets