CVE-2025-12735: 
JavaScript vulnerability analysis and mitigation

The expr-eval JavaScript library (CVE-2025-12735) contains a critical vulnerability discovered in November 2025 that affects both the original expr-eval package and its fork expr-eval-fork. The library, which is designed to safely evaluate mathematical expressions with user-defined variables, has over 250 dependent packages and is widely used in NLP and AI applications. The vulnerability was discovered by security researcher Jangwoo Choe (UKO) and was first disclosed on November 4, 2025 (CERT Advisory, NVD).

The vulnerability stems from insufficient input validation in the evaluate() function of the Parser class, which allows an attacker to define arbitrary functions within the context object used by the parser. This security flaw enables attackers to inject malicious code that can execute system-level commands. The vulnerability has received a CVSS v3.1 score of 9.8 (Critical) from CISA-ADP, indicating its severe nature (CERT Advisory, Bleeping Computer).

The vulnerability allows attackers with the ability to influence input fields processed by expr-eval to craft malicious payloads that trigger arbitrary command execution on the host system. According to CERT-CC, this constitutes a Technical Impact classified as 'Total,' meaning the vulnerability gives the adversary complete control over the software's behavior and potential access to all information on the affected system (CERT Advisory).

A security fix has been implemented and released as version 3.0.0 of expr-eval-fork. The patch introduces several security measures including a defined AllowList of safe functions accessible via evaluate(), a mandatory registration mechanism for custom functions, and updated test cases ensuring enforcement of these constraints. Users are advised to upgrade to expr-eval-fork version 3.0.0 immediately. For users of the original expr-eval package, a pull request (#288) containing the fix has been submitted but remains unmerged due to maintainer inactivity (CERT Advisory, GitHub PR).

The vulnerability has garnered significant attention in the security community, particularly due to its impact on AI and NLP applications. The original maintainer appears to be unresponsive, leading to community efforts to address the security concern through the fork. The expr-eval-fork maintainer, Joren Broekema, acknowledged the issue and worked to expedite the fix despite being in a remote location with limited connectivity (GitHub PR).