Plateforme
nodejs
Composant
expr-eval
Corrigé dans
2.0.3
3.0.1
2.0.3
CVE-2025-12735 describes a remote code execution (RCE) vulnerability within the expr-eval JavaScript library, a component used for safely evaluating mathematical expressions. This vulnerability arises from insufficient input validation when processing variables passed to the evaluate() function, allowing attackers to inject malicious code. Versions of expr-eval prior to 3.0.1 are affected, and upgrading is the recommended solution.
The impact of CVE-2025-12735 is severe. An attacker can exploit this vulnerability by crafting a malicious variables object and passing it to the evaluate() function. This allows them to execute arbitrary code within the context of the Node.js application, effectively gaining complete control over the system. The blast radius extends to any application relying on expr-eval for expression evaluation, particularly those handling user-supplied input. Successful exploitation could lead to data breaches, system compromise, and denial of service.
CVE-2025-12735 was publicly disclosed on 2025-11-05. The vulnerability's ease of exploitation, combined with the widespread use of Node.js and JavaScript libraries, suggests a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated to emerge quickly, increasing the risk. Monitor security advisories and vulnerability databases for updates.
Applications built with Node.js that utilize the expr-eval library for expression evaluation are at risk. This includes applications that accept user-supplied input and use it within mathematical expressions. Shared hosting environments where multiple applications share the same Node.js runtime are particularly vulnerable, as a compromise in one application could potentially affect others.
• nodejs / server:
npm list expr-eval | grep -i '2.0.2'• nodejs / server:
find /var/www/your-app -type f -name "*.js" -exec grep -i 'evaluate(' {} + | less• generic web:
Inspect application code for usage of expr-eval and version numbers. Review access logs for unusual requests containing potentially malicious expressions.
disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 21%)
The primary mitigation for CVE-2025-12735 is to upgrade the expr-eval library to version 3.0.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on the variables object passed to the evaluate() function. This could involve whitelisting allowed variable names and data types, or sanitizing the input to remove potentially malicious characters. While not a complete fix, this can reduce the attack surface. After upgrading, confirm the fix by attempting to evaluate a crafted expression with a malicious variables object – it should now be rejected or handled safely.
Actualice la biblioteca expr-eval a una versión posterior a 3.0.0 que contenga la corrección para la vulnerabilidad de ejecución de código arbitrario. Verifique las notas de la versión y el registro de cambios para confirmar que la vulnerabilidad ha sido abordada. Si no hay una versión corregida disponible, considere usar una biblioteca alternativa para el análisis y la evaluación de expresiones.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12735 is a remote code execution vulnerability in the expr-eval library for Node.js, allowing attackers to execute arbitrary code through crafted variables. It's rated HIGH severity (CVSS 7.5).
You are affected if your Node.js application uses expr-eval version 2.0.2 or earlier. Check your dependencies with npm list expr-eval.
Upgrade to version 3.0.1 or later using npm install expr-eval@latest. If immediate upgrade is not possible, implement stricter input validation.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation and public disclosure suggest a high probability of exploitation.
Refer to the official expr-eval GitHub repository and related security advisories for updates and further information: [https://github.com/truesilver/expr-eval](https://github.com/truesilver/expr-eval)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.