QwikSec

Security Database

CVE

CWE

Training

CVE-2025-12735

Published: Nov 5, 2025

Modified: Nov 22, 2025

PUBLISHED

Description

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.

Vendor	Product	Versions
silentmatt	expr-eval	affected `0 - <= 2.0.2`
expr-eval-fork	expr-eval-fork	affected `0 - <= 3.0.0`

References

https://github.com/silentmatt/expr-eval

https://github.com/jorenbroekema/expr-eval

https://www.npmjs.com/package/expr-eval-fork

https://www.npmjs.com/package/expr-eval

https://github.com/silentmatt/expr-eval/pull/288

Github Security Advisory

third-party-advisory

CERT/CC Advisory

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2025-12735 - Security Vulnerability | QwikSec