CVE-2025-12735
published 2025-11-05CVE-2025-12735: The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.20%
80.3th percentile
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| expr-eval-fork | expr-eval-fork | <= 3.0.0 | — |
| expr-eval-fork | expr-eval-fork | >= 0 < 3.0.1 | 3.0.1 |
| jorenbroekema | javascript_expression_evaluator | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_vim_8.1.0388-7_on_cbl_mariner_1.0 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| silentmatt | expr-eval | <= 2.0.2 | — |
| silentmatt | expr-eval | 0 – 2.0.2 | — |
| silentmatt | javascript_expression_evaluator | <= 2.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker passes a crafted context object or uses MEMBER of the context object into the evaluate() function to trigger arbitrary code execution ↗
- →Attacker can inject and execute arbitrary system-level commands on the host by providing maliciously crafted input to the parser's evaluate() method via the context object ↗
- →Monitor for use of expr-eval or expr-eval-fork versions prior to 3.0.0 in Node.js environments; expr-eval-fork v3.0.0 contains the security fix with an allowlist of safe functions ↗
- →LangChain Calculator tool calls Parser.evaluate() with expr-eval; LangChainJS replaced expr-eval with math-expression-evaluator as a fix — audit @langchain/community dependencies for bundled expr-eval ↗
- ·expr-eval is listed as a bundled dependency in grafana-pcp in RHEL 8, but the library is not present in the compiled JavaScript bundle and the vulnerable code does not execute — RHEL 8 grafana-pcp is not affected ↗
- ·RHEL AI 3.x bootc images ship [email protected] as a dependency of @langchain/community; the only consumer is the LangChain Calculator tool which calls Parser.evaluate() and does NOT invoke toJSFunction(), so CVE-2026-12866 (toJSFunction API) is rated Low for RHEL AI — but CVE-2025-12735 (evaluate() path) may still apply ↗
- ·The patch in expr-eval-fork v3.0.0 enforces an allowlist of safe functions for evaluation and a registration system for custom functions; the original expr-eval package has an unmerged pull request with the fix due to unresponsive maintainers ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
vendor_msrc8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
expr-eval: expr-eval: Code Execution via crafted expressions in toJSFunction() API
vendor_redhat·2026-06-23·CVSS 9.8
CVE-2026-12866 [CRITICAL] CWE-917 expr-eval: expr-eval: Code Execution via crafted expressions in toJSFunction() API
expr-eval: expr-eval: Code Execution via crafted expressions in toJSFunction() API
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
A flaw was found in expr-eval. A remote attacker can exploit this vulnerability by supplying crafted expressions to the toJSFunction() API. These expressions are then compiled into native code using new Function(), allowing the attacker to execute arbitrary JavaScript code. This ca
Red Hat
expr-eval:
vendor_redhat·2025-11-05·CVSS 9.8
CVE-2025-12735 [CRITICAL] CWE-917 expr-eval:
expr-eval:
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.
A vulnerability was discovered in the expr-eval npm package, a JavaScript library used to parse and evaluate mathematical expressions. The issue allows an attacker to define arbitrary functions within the context object used by the parser's evaluate() method. By providing maliciously crafted input, an attacker can exploit this flaw to inject and execute arbitrary system-level commands on the host system. This could lead to the executio
Microsoft
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline as demonstrated by execute in Vim and assert_fa
vendor_msrc·2019-06-11·CVSS 8.6
CVE-2019-12735 [HIGH] CWE-78 getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline as demonstrated by execute in Vim and assert_fa
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline as demonstrated by execute in Vim and assert_fails or nvim_input in Neovim.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is id
OSV
expr-eval does not restrict functions passed to the evaluate function
osv·2025-11-05
CVE-2025-12735 [HIGH] expr-eval does not restrict functions passed to the evaluate function
expr-eval does not restrict functions passed to the evaluate function
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.
GHSA
expr-eval does not restrict functions passed to the evaluate function
ghsa·2025-11-05
CVE-2025-12735 [HIGH] CWE-94 expr-eval does not restrict functions passed to the evaluate function
expr-eval does not restrict functions passed to the evaluate function
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.
No detection rules found.
No public exploits indexed.
https://github.com/advisories/GHSA-jc85-fpwf-qm7xhttps://github.com/jorenbroekema/expr-evalhttps://github.com/silentmatt/expr-evalhttps://github.com/silentmatt/expr-eval/pull/288https://kb.cert.org/vuls/id/263614https://www.npmjs.com/package/expr-evalhttps://www.npmjs.com/package/expr-eval-forkhttps://www.kb.cert.org/vuls/id/263614https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js
2025-11-05
Published