Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN784
_____________________________________________________________________

DATE                : 12/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running expr-eval JavaScript library.

=====================================================================
https://kb.cert.org/vuls/id/263614
_____________________________________________________________________

Vulnerability in expr-eval JavaScript library can lead to arbitrary
code execution
Vulnerability Note VU#263614
Original Release Date: 2025-11-07 | Last Revised: 2025-11-10


Overview

The npm package expr-eval is a JavaScript library that evaluates
mathematical expressions and is used in various applications,
including NLP and AI. A vulnerability in this library has been
disclosed that could allow arbitrary code execution by an attacker
using maliciously crafted input.


Description

The npm projects expr-eval and expr-eval-fork are JavaScript libraries
used to parse and evaluate mathematical expressions, extending NLP
applications that process mathematical expressions and their numerical
data. This capability is particularly useful in generative AI systems
that need to interpret mathematical expressions within user prompts.
The Parser class and its evaluate() method is designed to provide
user-defined expressions in a safer way than JavaScript’s native eval()
function. This design choice is critical for npm-based projects,
especially those running in server environments where access to a
system's local resources could pose security risks. According to
npmjs.com, expr-eval has over 250 dependent packages, including
integrations such as oplangchain, a JavaScript implementation of the
popular LangChain framework. The related project expr-eval-fork was
created to address a prior Prototype Pollution vulnerability
(Issue #266) that remained unresolved in the original expr-eval
repository, which appears to be unmaintained by the original author.

A newly discovered vulnerability allows an attacker to define
arbitrary functions within the context object used by the parser.
This capability can be exploited to inject malicious code that
executes system-level commands, potentially accessing sensitive
local resources or exfiltrating data. This issue has been patched
via Pull Request #288. The vulnerability is tracked with
CVE-2025-12735, as well as the GitHub Advisory GHSA-jc85-fpwf-qm7x.
These identifiers enable automated tools such as npm audit to
detect the vulnerability in affected projects.


Impact

An attacker with the ability to influence input fields processed by
expr-eval can craft malicious payloads that trigger arbitrary command
execution on the host system.

This constitutes a Technical Impact = Total under the SSVC framework,
meaning:

    The vulnerability gives the adversary total control over the
behavior of the software or total disclosure of all information on
the affected system.


Solution

Developers and Users are advised either to:

    Apply the security patch from Pull Request #288, or
    Upgrade to the latest patched version of the expr-eval or
expr-eval-fork package as they become available. The npm package
expr-eval-fork v 3.0.0 resolves this issue.

Note: The patch introduces:

    A defined AllowList of safe functions accessible via evaluate()
    A mandatory registration mechanism for custom functions.
    Updated test cases ensuring enforcement of these constraints can
be understood and applied


Acknowledgements

Thanks to the reporter Jangwoo Choe (UKO) for responsibly disclosing
this issue. We also acknowledge GitHub Security and npm for their
proactive security advisories and automated vulnerability audits. This
document was written by Vijay Sarvepalli and Renae Metcalf.


Vendor Information


expr-eval-fork                                 Unknown

Notified:  2025-10-14 Updated: 2025-11-07

CVE-2025-12735                                 Unknown

Vendor Statement

We have not received a statement from the vendor.


silentmatt                                     Unknown

Notified:  2025-09-11 Updated: 2025-11-07

CVE-2025-12735	                               Unknown


Vendor Statement

We have not received a statement from the vendor.


References

    https://github.com/silentmatt/expr-eval
    https://github.com/jorenbroekema/expr-eval
    https://www.npmjs.com/package/expr-eval-fork
    https://www.npmjs.com/package/expr-eval
    https://github.com/silentmatt/expr-eval/pull/288


Other Information
CVE IDs: 	CVE-2025-12735
API URL: 	VINCE JSON | CSAF
Date Public: 	2025-11-07
Date First Published: 	2025-11-07
Date Last Updated: 	2025-11-10 21:52 UTC
Document Revision: 	3


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================