A essential vulnerability within the fashionable expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, may be exploited to execute code remotely by maliciously crafted enter.
The security challenge was found by security researcher Jangwoo Choe and is tracked as CVE-2025-12735. In accordance with the U.S. Cybersecurity and Infrastructure Safety Company (CISA), the severity score is essential, with a rating of 9.8.
Initially developed by Matthew Crumley, expr-eval is a small JavaScript expression parser and evaluator, utilized in initiatives that require protected parsing and computation of user-supplied mathematical expressions at runtime.
Examples embrace on-line calculators, instructional suites, simulation instruments, monetary instruments, and, extra not too long ago, AI and pure language processing (NLP) programs that parse mathematical expressions from textual content prompts.
In an advisory over the weekend, the CERT Coordination Heart (CERT-CC) for Carnegie Mellon’s Software program Engineering Institute (SEI) says that the vulnerability is as a result of library’s failure to validate the variables/context object handed into the Parser.consider() perform, which permits an attacker to provide malicious perform objects that the parser invokes throughout analysis.
“The vulnerability offers the adversary whole management over the habits of the software program or whole disclosure of all data on the affected system” – CERT-CC
CVE-2025-12735 impacts each the unique expr-eval, with a secure model launched 6 years in the past, and its presently actively maintained fork, expr-eval-fork, which has over 80,000 weekly downloads on the NPM bundle registry for Node.js.
Based mostly on knowledge from npmjs.com, the library is utilized in greater than 250 initiatives. A security repair for CVE-2025-12735 is current within the expr-eval-fork model 3.0.0, with the advice that impacted initiatives change to it as quickly as doable.
The patch enforces an allowlist of protected features for analysis, a registration system for customized features, and improved take a look at protection for these constraints.
For customers of expr-eval, there’s a pull request that implements the repair; nonetheless, as a result of venture maintainers being unresponsive, it’s unknown when it will likely be merged into a brand new launch.
Impacted software program builders are suggested emigrate instantly to expr-eval-fork v3.0.0 and republish their libraries so customers obtain the repair.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, security groups are shifting quick to maintain these new companies protected.
This free cheat sheet outlines 7 finest practices you can begin utilizing right now.
