CVE-2025-13204 – The npm package `expr-eval` is vulnerable to pr... (How to Fix)

Q: What is the severity of CVE-2025-13204?

CVE-2025-13204 has a CVSS score of 7.3 (HIGH). The npm package `expr-eval` is vulnerable to prototype pollution, allowing attackers to modify JavaScript object prototypes. This can lead to arbitrary code execution if an attacker can access the expression evaluation interface. Any application using vulnerable versions of this package is affected.

📋 TL;DR

The npm package `expr-eval` is vulnerable to prototype pollution, allowing attackers to modify JavaScript object prototypes. This can lead to arbitrary code execution if an attacker can access the expression evaluation interface. Any application using vulnerable versions of this package is affected.

💻 Affected Systems

Products:

npm expr-eval package

Versions: All versions before the fix in expr-eval-fork

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using expr-eval for expression parsing/evaluation is vulnerable by default.

📦 What is this software?

Javascript Expression Evaluator by Silentmatt

View all CVEs affecting Javascript Expression Evaluator →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Application compromise allowing data manipulation, privilege escalation, and potential access to underlying server resources.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only denial of service or application errors.

🌐 Internet-Facing: HIGH - Web applications using this package for expression evaluation are directly exposed to attack.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exists in CTF challenges; exploitation requires attacker to control expression input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: expr-eval-fork package (patched version)

Vendor Advisory: https://github.com/silentmatt/expr-eval/pull/252/files

Restart Required: Yes

Instructions:

1. Update package.json to use expr-eval-fork instead of expr-eval. 2. Run npm install expr-eval-fork. 3. Update import statements from 'expr-eval' to 'expr-eval-fork'. 4. Restart the application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject expressions containing prototype pollution patterns

Sandbox Expression Evaluation

all

Run expr-eval in isolated environment or container with limited permissions

🧯 If You Can't Patch

Implement WAF rules to block prototype pollution patterns in expression inputs
Disable or remove expr-eval functionality if not essential to application

🔍 How to Verify

Check if Vulnerable:

Check package.json for 'expr-eval' dependency and verify version is not the patched fork

Check Version:

npm list expr-eval && npm list expr-eval-fork

Verify Fix Applied:

Verify package.json uses 'expr-eval-fork' and test with known malicious expressions

📡 Detection & Monitoring

Log Indicators:

Unusual expression patterns with __proto__ or constructor properties
Application errors related to prototype modification

Network Indicators:

HTTP requests containing JavaScript prototype pollution patterns in expression parameters

SIEM Query:

search 'expr-eval' AND ('__proto__' OR 'constructor' OR 'prototype') in web logs

📊 Metadata

CVE ID: CVE-2025-13204

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-1321

EPSS Score: 0.09% exploit probability (25.2th percentile)

Published: November 14, 2025

Last Updated: January 8, 2026

🔗 References

https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py Product
https://github.com/jorenbroekema/expr-eval Product
https://github.com/silentmatt/expr-eval Product
https://github.com/silentmatt/expr-eval/pull/252/files Patch,Issue Tracking
https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py Product
https://www.huntr.dev/bounties/1-npm-expr-eval/ Exploit,Third Party Advisory
https://www.npmjs.com/package/expr-eval-fork Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13204, you might also want to check these: