CVE-2025-12735

Critical

Published: 05 November 2025

Published

05 November 2025

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse various implementations of JavaScript for execution.

Security Summary

CVE-2025-12735, published on 2025-11-05, affects the expr-eval JavaScript library, an expression parser and evaluator designed to safely process mathematical expressions with user-defined variables. The vulnerability arises from insufficient input validation, enabling an attacker to supply a crafted context object or leverage a MEMBER of the context object within the evaluate() function to trigger arbitrary code execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).

Any unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants arbitrary code execution in the context of the application using the library, resulting in high-impact compromise of confidentiality, integrity, and availability.

Advisories such as GHSA-jc85-fpwf-qm7x and CERT KB 263614 document the issue, while repositories for expr-eval (jorenbroekema/expr-eval and silentmatt/expr-eval) and pull request #288 provide details on patches to address the input validation flaw, recommending updates to mitigated versions of the library.

Details

CWE(s): CWE-94

Affected Products

jorenbroekema

javascript expression evaluator

3.0.0

silentmatt

javascript expression evaluator

≤ 2.0.2

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthenticated remote code execution in a JavaScript expression evaluator library, directly facilitating T1190 (Exploit Public-Facing Application) via network-accessible input and T1059.007 (JavaScript) for arbitrary code execution through the abused interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/advisories/GHSA-jc85-fpwf-qm7x
Third Party Advisory · cret@cert.org
https://github.com/jorenbroekema/expr-eval
Product · cret@cert.org
https://github.com/silentmatt/expr-eval
Product · cret@cert.org
https://github.com/silentmatt/expr-eval/pull/288
Issue Tracking, Patch · cret@cert.org
https://kb.cert.org/vuls/id/263614
Third Party Advisory · cret@cert.org
https://www.npmjs.com/package/expr-eval
Product · cret@cert.org
https://www.npmjs.com/package/expr-eval-fork
Product · cret@cert.org
https://www.kb.cert.org/vuls/id/263614
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js
Product · 134c704f-9b21-4f2e-91b3-4a467353bcc0