CVE-2025-13204

Summary

npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

Affected Software

VendorProductVersion RangeStatus
silentmattexpr-eval0 <= 2.0.2affected

Weaknesses

  • CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References