Full Report
A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. [...]
Analysis Summary
# Vulnerability: Critical RCE in expr-eval via Unvalidated Context Objects
## CVE Details
- CVE ID: CVE-2025-12735
- CVSS Score: 9.8 (Critical)
- CWE: (Not explicitly stated, but related to improper input validation/sandbox escape)
## Affected Systems
- Products: `expr-eval` (original library) and `expr-eval-fork`
- Versions: All versions of the original `expr-eval` prior to the fix being merged. Vulnerable versions of `expr-eval-fork` exist prior to 3.0.0.
- Configurations: Any usage where user-supplied input is parsed via `Parser.evaluate()`.
## Vulnerability Description
The vulnerability resides in the failure of the `Parser.evaluate()` function to properly validate or sanitize the `variables/context` object passed into it. This allows an attacker to supply malicious function objects within the context, which the library’s parser invokes during expression evaluation, leading to Remote Code Execution (RCE). CERT-CC notes this grants the adversary total control over the affected software's behavior or total disclosure of all information on the system.
## Exploitation
- Status: PoC available (Implied by researcher discovery and critical rating, details are in advisories)
- Complexity: Low (Implied by critical score and nature of RCE via input)
- Attack Vector: Network (via supplying the malicious expression/input)
## Impact
- Confidentiality: High (Total disclosure of all information)
- Integrity: High (Total control over software behavior)
- Availability: High
## Remediation
### Patches
- Migrate immediately to **`expr-eval-fork` version 3.0.0 or later**. This version enforces an allowlist of safe functions and improves constraint checks.
- A pull request addressing CVE-2025-12735 exists for the original `expr-eval` project, but maintainer responsiveness is unknown.
### Workarounds
- In the absence of a patched release for the original `expr-eval`, developers should migrate to the actively maintained **`expr-eval-fork` v3.0.0+**.
- Ensure that any context object passed to `Parser.evaluate()` only contains strictly necessary, trusted primitive values and no complex objects or functions that could be hijacked.
## Detection
- **Indicators of Compromise:** Unexpected process execution originating from applications using this library, or unusual file system access/data exfiltration corresponding to the execution context of the application.
- **Detection methods and tools:** Static Analysis Security Testing (SAST) tools should flag calls to `Parser.evaluate()` with unsanitized context objects. Monitor application execution for shell escapes or invocation of system utilities.
## References
- Vendor Advisories: [CERT-CC advisory regarding CVE-2025-12735 (kb.cert.org/vuls/id/263614)](https://kb.cert.org/vuls/id/263614)
- Relevant Links:
- NVD Entry: nvd.nist.gov/vuln/detail/CVE-2025-12735
- expr-eval-fork fix version: npmjs.com/package/expr-eval-fork
- Original library PR: github.com/silentmatt/expr-eval/pull/288