NewForTech

Incredibly popular JavaScript library may have troubling malware issues

JavaScript code on a computer screen
2 minutes

Written by

Tech Insider (NewForTech Editorial Team)

in

  • CVE-2025-12735 in expr-eval allows remote code execution via insecure input evaluation
  • Vulnerable versions ≤2.0.2; patched in version 2.0.3 and forked in expr-eval-fork 3.0.0
  • Developers should clean up variables and avoid unreliable input in evaluate() calls

A widely used JavaScript library has been discovered to contain a critical vulnerability that could allow attackers to remotely execute malicious code.

Security researcher Jangwoo Choe discovered an “insufficient input validation” flaw in expr-eval, a library with over 800,000 downloads per week on NPM. Parses and evaluates mathematical expressions from strings and allows developers to safely calculate user-entered formulas. Scripts are commonly used in web applications for calculators, data analysis tools, and expression-based logic.

The vulnerability received a severity rating of 9.8/10 (Critical) and is now tracked as CVE-2025-12735. CERT/CC and industry experts rate the flaw as serious: they say it can be exploited remotely, requires no privileges or user interactions, and could result in a complete compromise of confidentiality, privacy and availability.

Corrections and appeals

“This capability can be exploited to inject malicious code that executes system-level commands, potentially to access sensitive local resources or exfiltrate data,” a CERT advisor said. “This issue was resolved via pull request #288.”

The root cause of the problem is that the library allows function objects and other malicious values ​​in the evaluation context, which allows an attacker to manipulate the variable object to provide functions that escape the sandbox and execute arbitrary JavaScript.

All versions of the library up to and including 2.0.2 were considered vulnerable, and a patch was available starting with version 2.0.3.

Users can also mitigate risks by migrating to the actively maintained expr-eval-fork version 3.0.0. Users whose applications call estimate() based on untrusted user input should also stop inserting untrusted data and wrap or clear variable objects to prevent the insertion of prototype editing fields and functions.

The library is very popular. According to npmjs.com, it is currently used in more than 250 projects.

IN BeepTeam