Critical RCE Flaw Found in Popular expr-eval JavaScript Library
▼ Summary
– A critical vulnerability (CVE-2025-12735) in the expr-eval JavaScript library allows remote code execution via malicious input, affecting over 800,000 weekly downloads.
– The vulnerability stems from the library’s failure to validate the variables/context object in the Parser.evaluate() function, enabling attackers to supply harmful function objects.
– This security flaw impacts both the original expr-eval and its actively maintained fork, expr-eval-fork, which together are used in more than 250 projects.
– A fix is available in expr-eval-fork version 3.0.0, which implements an allowlist of safe functions, a custom function registration system, and improved test coverage.
– Developers are urged to immediately migrate to expr-eval-fork v3.0.0, as the original project’s maintainers are unresponsive, delaying a fix in the main library.
A critical security vulnerability has been identified in the widely used expr-eval JavaScript library, which records more than 800,000 weekly downloads via NPM. This flaw enables remote code execution when attackers submit specially crafted malicious input, posing a severe risk to applications that depend on this library.
Discovered by security researcher Jangwoo Choe, the vulnerability is officially designated as CVE-2025-12735. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has assigned it a critical severity rating of 9.8, reflecting the high level of danger it represents.
Created by Matthew Crumley, expr-eval serves as a lightweight JavaScript expression parser and evaluator. It is commonly integrated into applications that need to securely parse and compute user-provided mathematical expressions during runtime. Typical use cases include online calculators, educational software, simulation platforms, financial analysis tools, and increasingly, artificial intelligence and natural language processing systems that interpret mathematical expressions from text inputs.
According to a recent advisory from the CERT Coordination Center (CERT-CC) at Carnegie Mellon’s Software Engineering Institute, the vulnerability stems from the library’s failure to properly validate the variables or context object supplied to the Parser.evaluate() function. This oversight allows an attacker to introduce malicious function objects that the parser executes during the evaluation process.
CERT-CC warns that this flaw grants an adversary complete control over the software’s behavior or full access to all information stored on the compromised system.
Both the original expr-eval library, whose last stable release occurred six years ago, and its actively maintained fork, expr-eval-fork, are affected by CVE-2025-12735. The fork itself sees over 80,000 weekly downloads on the NPM registry. Data from npmjs.com indicates that the library is incorporated into more than 250 projects.
A security patch addressing CVE-2025-12735 is available in expr-eval-fork version 3.0.0. Experts strongly recommend that affected projects transition to this updated version without delay. The fix introduces an allowlist of safe functions for evaluation, implements a registration system for custom functions, and enhances test coverage to enforce these new constraints.
For users of the original expr-eval library, a pull request containing the necessary fix has been submitted. However, due to unresponsive project maintainers, it remains unclear when this update will be merged into an official release. Software developers using vulnerable versions are urged to migrate immediately to expr-eval-fork v3.0.0 and republish their own libraries to ensure end-users receive the critical security update.
(Source: Bleeping Computer)
