Expr-eval JavaScript library RCE flaw (CVE-2025-12735)
Vulnerability
Summary
Hide ▲
Show ▼
expr-eval and expr-eval-fork are affected by CVE-2025-12735, a critical remote-code-execution flaw that can be triggered by maliciously crafted input to `Parser.evaluate()`. The issue puts projects that parse user-supplied expressions at risk, including tooling with over 800,000 weekly downloads on NPM. A fix is available in expr-eval-fork v3.0.0, and impacted users are urged to migrate immediately.
Related Happenings
CISA KEV remediation deadline for Langflow
Public Sector Action
First: 26.03.2026 21:17
Last: 26.03.2026 21:17
Sources 1
About this happening:
CISA added **CVE-2026-33017** to the **Known Exploited Vulnerabilities** list and ordered **federal agencies** to patch, mitigate, or stop using **Langflow** by **April 8, 2026**....
CISA KEV remediation deadline for Langflow
Public Sector ActionAbout this happening: CISA added **CVE-2026-33017** to the **Known Exploited Vulnerabilities** list and ordered **federal agencies** to patch, mitigate, or stop using **Langflow** by **April 8, 2026**....
RondoDox botnet exploitation of XWiki CVE-2025-24893
Malware Activity
First: 15.11.2025 18:35
Last: 15.11.2025 18:35
Sources 1
About this happening:
The **RondoDox** botnet has begun **targeting unpatched XWiki instances** through **CVE-2025-24893**, expanding its reach and putting vulnerable servers at risk of **botnet recrui...
RondoDox botnet exploitation of XWiki CVE-2025-24893
Malware ActivityAbout this happening: The **RondoDox** botnet has begun **targeting unpatched XWiki instances** through **CVE-2025-24893**, expanding its reach and putting vulnerable servers at risk of **botnet recrui...
Timeline
-
10.11.2025 20:32 2 articles · 6mo ago
CVE-2025-12735 disclosed in expr-eval and expr-eval-fork
Initial DisclosureSecurity researcher Jangwoo Choe identified CVE-2025-12735 in the expr-eval JavaScript library, and CERT-CC described the flaw as a failure to validate the variables/context object passed into Parser.evaluate(), allowing malicious function objects to execute during evaluation. CISA rated the issue critical at 9.8, the vulnerability affects both expr-eval and expr-eval-fork, and expr-eval-fork v3.0.0 includes a fix that enforces an allowlist of safe functions, custom-function registration, and improved test coverage.
Show sources
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32
- Popular JavaScript library expr-eval vulnerable to RCE flaw — www.bleepingcomputer.com — 10.11.2025 20:32