CVE-2025-12735

Summary

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.

Affected Software

VendorProductVersion RangeStatus
silentmattexpr-eval0 <= 2.0.2affected
expr-eval-forkexpr-eval-fork0 <= 3.0.0affected

Weaknesses

  • CWE-94: Improper Control of Generation of Code (‘Code Injection’)
  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

CVE Program Container

Additional References

References