An incredibly popular JavaScript library might have some worrying malware issues

News
By published

A script with 800,000 weekly downloads allows for RCE

JavaScript code on a computer screen
(Image credit: Shutterstock / BEST-BACKGROUNDS)
  • CVE-2025-12735 in expr-eval allows remote code execution via unsafe input evaluation
  • Vulnerable versions ≤2.0.2; patched in 2.0.3 and forked in expr-eval-fork 3.0.0
  • Developers should sanitize variables and avoid untrusted input in evaluate() calls

A widely-adopted JavaScript library has been found carrying a critical vulnerability which could allow threat actors to execute malicious code, remotely.

Security researcher Jangwoo Choe discovered an “insufficient input validation” bug in expr-eval, a library with more than 800,000 weekly downloads on NPM. It parses and evaluates mathematical expressions from strings, and allows developers to safely compute user-entered formulas. Generally, the script is used in web apps for calculators, data analysis tools, and expression-based logic.

The vulnerability was given a severity score of 9.8/10 (critical) and is now tracked as CVE-2025-12735. CERT/CC and industry trackers classify the bug as high‑impact: claiming it is remotely exploitable, requires no privileges or user interaction, and can lead to full confidentiality, integrity and availability compromise.

Fixes and mitigations

“This capability can be exploited to inject malicious code that executes system-level commands, potentially accessing sensitive local resources or exfiltrating data,” a CERT advisory reads. “This issue has been patched via Pull Request #288.”

The root cause of the issue stems from the library allowing function objects and other dangerous values into the evaluation context, so an attacker who can influence the variables object can supply functions that escape the sandbox and execute arbitrary JavaScript.

All versions up to, and including 2.0.2 of the library were said to be vulnerable, with a fix being available at versions 2.0.3 and later.

Users can also mitigate the risk by migrating to the actively maintained fork expr-eval-fork, version 3.0.0. Users whose apps call evaluate() on user-supplied and otherwise untrusted input should also immediately stop feeding untrusted data into it, and wrap or sanitize variables objects so functions and prototype modification fields cannot be injected.

The library enjoys widespread popularity. According to npmjs.com, it is currently used in more than 250 projects.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.