CVE-2025-12735

Name of the Vulnerable Software and Affected Versions expr-eval versions prior to 3.0.0 expr-eval-fork versions prior to 3.0.0

Description The expr-eval library, a JavaScript expression parser and evaluator, is susceptible to remote code execution (RCE). This issue stems from inadequate input validation when processing user-defined variables or context objects passed to the

evaluate()

function. An attacker can supply a crafted object to this function, leading to the execution of arbitrary JavaScript code within the application's context. The library is used in over 250 projects, including online calculators, modeling tools, financial applications, and AI/NLP systems. Over 800,000 projects download expr-eval weekly, and over 88,000 download expr-eval-fork weekly. The vulnerability allows an attacker to gain full control over the affected system. The vulnerable component is the

Parser.evaluate()

function, which does not properly validate the input

variables

object.

Recommendations Upgrade to expr-eval-fork version 3.0.0 or later. Upgrade to expr-eval version 3.0.0 or later, if a release including the fix becomes available.