About Remote Code Execution – expr-eval (CVE-2025-12735) vulnerability. expr-eval is a JavaScript library for parsing and evaluating mathematical expressions, providing safe handling of user-supplied variables. It is used in online calculators, educational programs, modeling tools, financial applications, AI systems, and natural language processing (NLP). Insufficient input validation may allow arbitrary JavaScript code execution in the application’s context.
🛠 The vulnerability was discovered on November 5. A PoC has been on GitHub since November 11.
⚙️ The vulnerability is still in the process of being fixed in the main (effectively abandoned 🤷♂️) expr-eval project and is not fully fixed in its fork, expr-eval-fork. Secure versions are expected to appear in the corresponding GHSA.
🌐 The library is popular: expr-eval has 800k weekly downloads on npm, and expr-eval-fork has 88k.
👾 No in-the-wild exploitation has been observed so far.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.