CVE-2025-12735: expr-eval does not restrict functions passed to the evaluate function
(updated )
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.
References
- github.com/advisories/GHSA-jc85-fpwf-qm7x
- github.com/jorenbroekema/expr-eval
- github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js
- github.com/jorenbroekema/expr-eval/commit/1d71bb2ca8f98df8de00e9cc4de8fdd468a7ad43
- github.com/silentmatt/expr-eval
- github.com/silentmatt/expr-eval/pull/288
- github.com/silentmatt/expr-eval/pull/289
- kb.cert.org/vuls/id/263614
- nvd.nist.gov/vuln/detail/CVE-2025-12735
- www.kb.cert.org/vuls/id/263614
- www.npmjs.com/package/expr-eval
- www.npmjs.com/package/expr-eval-fork
Code Behaviors & Features
Detect and mitigate CVE-2025-12735 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →