CVE-2025-12735
📋 TL;DR
CVE-2025-12735 is a critical remote code execution vulnerability in the expr-eval JavaScript library. Attackers can exploit insufficient input validation in the evaluate() function to execute arbitrary code by passing crafted context objects. Any application using vulnerable versions of expr-eval to evaluate user-controlled expressions is affected.
💻 Affected Systems
- expr-eval JavaScript library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code with application privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential privilege escalation depending on application context.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, though the vulnerability still presents significant risk.
🎯 Exploit Status
Exploitation requires the ability to control input to the evaluate() function. The vulnerability is well-documented in public advisories with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0 and later
Vendor Advisory: https://github.com/advisories/GHSA-jc85-fpwf-qm7x
Restart Required: No
Instructions:
1. Update expr-eval to version 2.0.0 or later using npm update expr-eval or yarn upgrade expr-eval. 2. Test your application to ensure compatibility with the updated version. 3. Deploy the updated package to production.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to prevent malicious context objects from reaching the evaluate() function
Sandbox Execution
allRun expr-eval in a sandboxed environment with restricted permissions
🧯 If You Can't Patch
- Implement strict input validation to sanitize all user inputs before passing to expr-eval
- Disable or remove expr-eval functionality if not essential, or replace with alternative expression evaluators
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/expr-eval/package.json for version number. Versions below 2.0.0 are vulnerable.Check Version:
npm list expr-eval or cat node_modules/expr-eval/package.json | grep versionVerify Fix Applied:
Verify expr-eval version is 2.0.0 or higher. Test that expression evaluation still works correctly in your application.📡 Detection & Monitoring
Log Indicators:
- Unusual expression evaluation patterns
- Unexpected process spawns from application context
- Error logs showing expression parsing failures
Network Indicators:
- Unusual outbound connections from application server
- Data exfiltration patterns
SIEM Query:
source="application.logs" AND ("expr-eval" OR "evaluate()") AND (error OR exception OR "unexpected")🔗 References
- https://github.com/advisories/GHSA-jc85-fpwf-qm7x
- https://github.com/jorenbroekema/expr-eval
- https://github.com/silentmatt/expr-eval
- https://github.com/silentmatt/expr-eval/pull/288
- https://kb.cert.org/vuls/id/263614
- https://www.npmjs.com/package/expr-eval
- https://www.npmjs.com/package/expr-eval-fork
- https://www.kb.cert.org/vuls/id/263614
- https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js
