A critical vulnerability in the expr-eval JavaScript library allows remote code execution through malicious input, affecting over 250 projects. Developers are urged to upgrade to expr-eval-fork v3.0.0 to mitigate the risk. #CVE-2025-12735 #expr-eval #NodeJS
Keypoints
- The vulnerability CVE-2025-12735 affects the expr-eval JavaScript library and its actively maintained fork.
- The flaw is due to inadequate validation of variables passed into the Parser.evaluate() function.
- Successful exploitation can give attackers complete control over affected systems or disclose sensitive information.
- The security patch in expr-eval-fork v3.0.0 enforces a safe allowlist and improvements for custom functions.
- Developers are advised to migrate immediately to the updated fork to prevent exploitation risks.