Arbitrary Code Execution Vulnerability in expr-eval Library by SilentMatt
CVE-2025-12735

9.8CRITICAL

Key Information:

Vendor

Silentmatt

Status
Expr-eval
Expr-eval-fork
Vendor
CVE Published:
5 November 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-12735?

The expr-eval library, which functions as a JavaScript expression parser and evaluator, has a vulnerability stemming from inadequate input validation. This flaw allows attackers to manipulate the variables object supplied to the evaluate() function, potentially executing arbitrary code. This poses a significant risk, especially in applications that leverage the library for mathematical expression evaluation without stringent input checks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

expr-eval 0 <= 2.0.2

expr-eval-fork 0 <= 3.0.0

News Articles

favicon imageBleepingComputer

Popular JavaScript library expr-eval vulnerable to RCE flaw

A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input.

References

https://github.com/silentmatt/expr-eval
https://github.com/jorenbroekema/expr-eval
https://www.npmjs.com/package/expr-eval-fork

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was reported by Jangwoo Choe (UKO)
JSON
.