CVE-2025-12735

Name of the Vulnerable Software and Affected Versions expr-eval versions prior to 3.0.0 expr-eval-fork versions prior to 3.0.0

Description The expr-eval library, a JavaScript expression parser and evaluator, has a flaw due to inadequate input validation. An attacker can provide a specially crafted variables object to the

evaluate()

function, potentially leading to arbitrary code execution. This issue affects over 250 projects, including those in the areas of AI and Natural Language Processing (NLP), which utilize the library for evaluating mathematical expressions from user input. The vulnerability allows an attacker to gain full control over the affected system or fully disclose information. The issue stems from the library's failure to validate the variables/context object passed to the

Parser.evaluate()

function, enabling the execution of malicious function objects by the parser during evaluation. More than 800,000 projects download this library weekly.

Recommendations For expr-eval versions prior to 3.0.0, upgrade to version 3.0.0 or later. For expr-eval-fork versions prior to 3.0.0, upgrade to version 3.0.0 or later.