Prototype Pollution Vulnerability in expr-eval Package by npm
CVE-2025-13204

Currently unrated

Key Information:

Vendor: Silentmatt
Status: Expr-eval
Vendor: CVE Published:; 14 November 2025

What is CVE-2025-13204?

The expr-eval package, commonly used in npm environments, is vulnerable to a prototype pollution attack. An attacker with access to the express eval interface can manipulate the JavaScript prototype chain, potentially resulting in arbitrary code execution. To mitigate this risk, it is recommended to migrate to the expr-eval-fork package, which addresses this security concern.

Affected Version(s)

expr-eval 0 <= 2.0.2

References

https://www.npmjs.com/package/expr-eval-fork

https://github.com/silentmatt/expr-eval

https://github.com/jorenbroekema/expr-eval

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2025
Vulnerability Reserved
Nov 14, 2025

JSON

Silentmatt

What is CVE-2025-13204?

Affected Version(s)

References

Timeline