"A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. The security issue was discovered by security researcher Jangwoo Choe and is tracked as CVE-2025-12735. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the severity rating is critical, with a score of 9.8."
"In an advisory over the weekend, the CERT Coordination Center (CERT-CC) for Carnegie Mellon's Software Engineering Institute (SEI) says that the vulnerability is due to the library's failure to validate the variables/context object passed into the Parser.evaluate() function, which allows an attacker to supply malicious function objects that the parser invokes during evaluation. "The vulnerability gives the adversary total control over the behavior of the software or total disclosure of all information on the affected system" - CERT-CC"
Expr-eval, a JavaScript expression parser with over 800,000 weekly NPM downloads, contains a critical remote code execution vulnerability tracked as CVE-2025-12735. The issue, discovered by Jangwoo Choe, received a CISA severity score of 9.8. The vulnerability stems from failure to validate the variables/context object passed to Parser.evaluate(), allowing attackers to supply malicious function objects that the parser invokes during evaluation. CERT-CC reports that the flaw can give adversaries total control or full information disclosure. Both the original expr-eval and the actively maintained expr-eval-fork are affected. A security fix exists in expr-eval-fork 3.0.0, which enforces an allowlist and function registration.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]