A critical security vulnerability in the popular JavaScript library expr-eval allows remote code execution. The bug, with a CVSS score of 9.8, affects hundreds of projects and is forcing developers to migrate to a secure version quickly.
The vulnerability, registered as CVE-2025-12735, is listed in the US National Vulnerability Database (NVD) and is considered one of the most serious security issues in recent JavaScript ecosystems. According to the NVD, the bug results from insufficient validation of the context passed to the library’s parser’s evaluate() function. This allows an attacker to execute malicious functions via manipulated input, potentially resulting in complete control over the behavior of the affected application.
BleepingComputer reports that the vulnerability was discovered by security researcher Jangwoo Choe, who shared his findings with the US CERT Coordination Center (CERT-CC). In its advisory, CERT states that the flaw could have serious consequences, as attackers could gain full access to systems using the library due to the flawed input validation. Both the original expr-eval, which has not been actively maintained for several years, and the current fork expr-eval-fork appear to be vulnerable to this issue.
Over 800,000 downloads per week
Expr-eval is a compact JavaScript library for parsing and evaluating expressions. It is widely used in applications where users provide input that must then be converted into calculated values. Examples include online calculation tools, educational programs, financial software, and, increasingly, AI and natural language processing systems that need to derive numerical results from text. According to figures from the npm registry, expr-eval is downloaded more than 800,000 times a week and the library is included in over 250 projects.
A solution is now available for expr-eval-fork. In version 3.0.0, the developers have added a series of security measures, including a list of explicitly allowed functions, a registration system for custom functions, and more extensive test coverage. These changes are intended to prevent external input from directly influencing the parser’s executable context. For the time being, users of the original expr-eval can only rely on an unverified patch submitted as a GitHub pull request. Because the project has not had any active maintainers for years, it is not known whether the change will ever be included in an official release.
Developers and companies that integrate expr-eval are therefore strongly advised to check which version they are using and, if necessary, migrate to expr-eval-fork version 3.0.0 or higher as soon as possible. This will fix the CVE-2025-12735 vulnerability and reduce the risk of remote code execution attacks.