CVE-2025-12735

Published Nov 5, 2025

Last updated 3 months ago

CVSS critical 9.8
npm

Overview

Description
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.
Source
cret@cert.org
NVD status
Analyzed
Products
javascript_expression_evaluator, javascript_expression_evaluator

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

nvd@nist.gov
CWE-94

Social media

Hype score
Not currently trending

  1. 🛡️ Codve caught CVE-2025-12735 in expr-eval (800k downloads/week) The bug: new Function() allows arbitrary code execution Codve flagged it in 3ms: "Safety violation: Disallowed constructor: new Function()" How many of your dependencies have this? 🧵

    @CodveAi

    22 Feb 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Security that strengthens the ecosystem: Docker’s upstream approach to CVE-2025-12735 https://t.co/n8G9pIMRVd #docker https://t.co/x9gaVpZc0o

    @rgonv

    8 Dec 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Security that strengthens the ecosystem: Docker’s upstream approach to CVE-2025-12735/#docker #container - On November 24, 2025, Docker Hardened Images resolved CVE-2025-12735 in the Kibana project, which is the visualization and user interface... https://t.co/HlaHodp0wt

    @knaepp

    26 Nov 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Vulnerability in expr-eval JavaScript library can lead to arbitrary code execution (CVE-2025-12735) https://t.co/A51LgyTbxv #appsec

    @eyalestrin

    12 Nov 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 人気のJavaScript ライブラリ「expr-eval」にリモートコード実行の致命的な脆弱性(CVE-2025-12735) https://t.co/MBK483ZqvR #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    12 Nov 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Researcher Discovers Critical RCE (CVE-2025-12735) in expr-eval JavaScript Library - https://t.co/AuwiNLAFxn https://t.co/REtEhD8Tzd

    @Cyberwarzonecom

    11 Nov 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. JavaScript expr-evalに重大RCE脆弱性 CVE-2025-12735 https://t.co/Ywcj0DtJzx #Security #セキュリティー #ニュース

    @SecureShield_

    11 Nov 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. NPMで80万回/週ダウンロードされている放置JavaScriptライブラリexpr-evalに遠隔コード実行の脆弱性。CVE-2025-12735はCVSSスコア9.8で、Parser.evaluate()に渡される変数/コンテキストオブジェクトの検証不備。フォーク後の

    @__kokumoto

    10 Nov 2025

    928 Impressions

    0 Retweets

    4 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  9. Vulnerabilidade Crítica no expr-eval permite execução remota de código:A falha CVE-2025-12735 no popular parser JavaScript expr-eval, com 800 mil downloads semanais, permite execução remota via input malicioso; atualização para expr-eval-fork v3.0.0 é recomendada urgente

    @caveiratech

    10 Nov 2025

    24 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Opensource abandonware is a real problem. Just take a look at CVE-2025-12735 - I mean NPM's expr-eval. No update in 6 yrs, 800k dls last wk. Unikernels obv. prevent the more severe exec abuse shown here but can also use nanos' pledge/unveil support to further lock things down.

    @nanovms

    10 Nov 2025

    217 Impressions

    0 Retweets

    8 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. 【CVE-2025-12735】npmの人気ライブラリ「expr-eval」にRCE脆弱性が発覚 – LangChain系統の生成AI・NLPアプリなど250以上のパッケージに依存関係 https://t.co/hMbEcgx3BG @nikkeimatomeより

    @nikkeimatome

    10 Nov 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-12735 (CVSS:9.8, CRITICAL) is Awaiting Analysis. The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressio..https://t.co/Uq7Bj1ueOQ #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    10 Nov 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🔴 CVE-2025-12735 expr-eval - JavaScript Library Remote Code Execution CERT disclosed CVE-2025-12735 affecting expr-eval, a JavaScript library for evaluating mathematical expressions used in NLP and AI applications. What's brutal: attackers craft malicious input that define

    @the_c_protocol

    8 Nov 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Aquasecurity Trivy Embedded Malicious Code VulnerabilityCVE-2026-33634
  2. The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.CVE-2026-27699
  3. set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.CVE-2026-26021
  4. Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.CVE-2026-24884
  5. n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.CVE-2026-1470

References

Sources include official advisories and independent security research.