Ethical Hacking News
A critical vulnerability in the expr-eval JavaScript library has been discovered, exposing systems to remote code execution. The severity rating is 9.8, making it a critical concern for developers and organizations. Migrating to expr-eval-fork v3.0.0 is recommended as soon as possible to ensure timely patching of this vulnerability.
Security researchers have discovered a critical vulnerability (CVE-2025-12735) in the expr-eval JavaScript library, which can lead to remote code execution (RCE). The vulnerability is attributed to the library's failure to validate user-supplied input. A patch for the vulnerability is available in expr-eval-fork v3.0.0, but its merge into a new release remains uncertain due to the project maintainers being unresponsive. Developers of popular JavaScript libraries are advised to conduct thorough security audits and implement necessary patches to protect against such vulnerabilities.
In a concerning revelation, security researchers have uncovered a critical vulnerability in the popular JavaScript library, expr-eval. This widely-used library, which has garnered over 800,000 weekly downloads on NPM, is susceptible to remote code execution (RCE), a significant threat that can compromise the integrity of user-supplied input.
The discovery was made by security researcher Jangwoo Choe and is tracked as CVE-2025-12735. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this vulnerability carries a severity rating of 9.8, which signifies that it is considered critical in terms of its potential impact on system security.
The expr-eval library was initially developed by Matthew Crumley as a small JavaScript expression parser and evaluator. It has been used in various projects, including online calculators, educational suites, simulation tools, financial tools, and more recently, AI and natural language processing (NLP) systems that parse mathematical expressions from text prompts.
The vulnerability is primarily attributed to the library's failure to validate the variables/context object passed into the Parser.evaluate() function. This oversight enables attackers to supply malicious function objects that the parser invokes during evaluation. As a result, an attacker can gain total control over the behavior of the software or achieve total disclosure of all information on the affected system.
The vulnerability affects both the original expr-eval library and its currently actively maintained fork, expr-eval-fork. Impacting projects are advised to switch to expr-eval-fork version 3.0.0 as soon as possible, which includes patches that enforce an allowlist of safe functions for evaluation, a registration system for custom functions, and improved test coverage for these constraints.
The implementation of the fix in expr-eval-fork v3.0.0 is available via a pull request; however, due to the project maintainers being unresponsive, it remains unclear when this patch will be merged into a new release. Users of expr-eval are therefore advised to migrate immediately to expr-eval-fork v3.0.0 and republish their libraries so that users receive the fix.
This highlights the importance of ongoing security testing and updates in software development. It serves as a reminder for developers of popular JavaScript libraries to conduct thorough security audits and implement necessary patches to protect against such vulnerabilities.
In addition, this vulnerability emphasizes the need for organizations to stay vigilant in monitoring their systems for potential security breaches and to have robust incident response plans in place. This includes implementing measures to detect and respond to RCE attacks promptly.
The discovery of CVE-2025-12735 underscores the ongoing threat landscape that software developers face and highlights the importance of prioritizing security in software development.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-expr-eval-Library-Exposes-Vulnerability-to-Remote-Code-Execution-ehn.shtml
https://www.bleepingcomputer.com/news/security/popular-javascript-library-expr-eval-vulnerable-to-rce-flaw/
https://cyberpress.org/critical-rce-flaw-in-popular-npm-libray/
https://nvd.nist.gov/vuln/detail/CVE-2025-12735
https://www.cvedetails.com/cve/CVE-2025-12735/
Published: Mon Nov 10 12:38:08 2025 by llama3.2 3B Q4_K_M
