Security researcher Jangwoo Choe discovered a critical remote code execution (RCE) vulnerability, CVE-2025-12735, in the popular JavaScript library expr-eval. The flaw, which has a critical CVSS score of 9.8, lets attackers execute arbitrary code and seize full control over hundreds of affected projects.
The expr-eval library parses and evaluates JavaScript expressions, processing mathematical expressions with user-defined variables. Its widespread use in applications that convert user input into computed values makes the vulnerability significant. The flaw, first identified by Choe, originates from inadequate input validation in the library’s evaluate() function.
The National Vulnerability Database (NVD) reports that the evaluate() function’s parser fails to properly validate provided context. This oversight enables a malicious actor to inject a specially crafted variables object. The manipulated input tricks the library into executing unintended functions, giving attackers unauthorized access and control over compromised applications. The 9.8 CVSS score highlights the ease of exploitation and potential for complete system compromise.
Both the original expr-eval library, which lacks active maintenance, and its expr-eval-fork are vulnerable. Without proper input control, applications using either version face risk. Attackers exploiting this flaw can gain complete control over an affected application’s behavior, threatening data integrity and system security.
Choe identified the vulnerability and promptly shared his findings with the CERT Coordination Center (CERT-CC). CERT-CC issued an advisory, outlining the flaw’s severe implications. It warned that attackers could leverage deficient input validation to gain full access to systems integrating the library. Developers must immediately migrate to a secure, patched version.
Key takeaway: Update immediately to a patched version of expr-eval or expr-eval-fork. Review application logs for signs of exploitation.