Home > Vulnerability Database > CVE-2025-12735

Mend.io Vulnerability Database

CVE-2025-12735

Good to know:

Date: November 4, 2025

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.

Severity Score

9.8

Related Resources (13)

Url: https://github.com/silentmatt/expr-eval/pull/289

Url: https://github.com/silentmatt/expr-eval

Url: https://github.com/advisories/GHSA-jc85-fpwf-qm7x

Url: https://kb.cert.org/vuls/id/263614

Url: https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js

Url: https://www.kb.cert.org/vuls/id/263614

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-12735

Url: https://www.npmjs.com/package/expr-eval-fork

Url: https://github.com/jorenbroekema/expr-eval

Url: https://www.npmjs.com/package/expr-eval

Url: https://github.com/silentmatt/expr-eval/pull/288

Url: https://github.com/jorenbroekema/expr-eval/commit/1d71bb2ca8f98df8de00e9cc4de8fdd468a7ad43

Url: https://www.mend.io/vulnerability-database/CVE-2025-12735

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version expr-eval-fork - 3.0.1

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-12735

Good to know:

Date: November 4, 2025

Severity Score

Related Resources (13)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?