Critical vulnerability exposed in JavaScript library expr-eval

Critical vulnerability exposed in JavaScript library expr-eval

Briefly

"A critical security vulnerability in the popular JavaScript library expr-eval allows remote code execution. The bug, with a CVSS score of 9.8, affects hundreds of projects and is forcing developers to migrate to a secure version quickly. The vulnerability, registered as CVE-2025-12735, is listed in the US National Vulnerability Database (NVD) and is considered one of the most serious security issues in recent JavaScript ecosystems."

"According to the NVD, the bug results from insufficient validation of the context passed to the library's parser's evaluate() function. This allows an attacker to execute malicious functions via manipulated input, potentially resulting in complete control over the behavior of the affected application. BleepingComputer reports that the vulnerability was discovered by security researcher Jangwoo Choe, who shared his findings with the US CERT Coordination Center (CERT-CC)."

"Expr-eval is a compact JavaScript library for parsing and evaluating expressions. It is widely used in applications where users provide input that must then be converted into calculated values. Examples include online calculation tools, educational programs, financial software, and, increasingly, AI and natural language processing systems that need to derive numerical results from text. According to figures from the npm registry, expr-eval is downloaded more than 800,000 times a week and the library is included in over 250 projects."