CVE-2025-12735 expr-eval - JavaScript Library Remote Code Execution
CORTEX Protocol Intelligence Assessment
Business Impact: The CVE-2025-12735 expr-eval vulnerability highlights how "utility" dependencies buried deep in AI and web stacks can quietly become RCE footholds. Enterprises that use expression parsing in pricing engines, workflow rules, or LLM-integrated tools may face data theft or system compromise if untrusted user input flows into vulnerable versions of expr-eval. Technical Context: CVE-2025-12735 expr-eval allows attacker-controlled function definitions in the evaluation context, undermining sandbox assumptions and enabling arbitrary command execution in Node.js environments. The fix introduces a hardened allowlist and explicit registration mechanism for custom functions, which must be adopted either through upstream patching or migration to expr-eval-fork. Because npm audit and GitHub advisories now flag the issue, organizations can use automated dependency scanning to identify affected projects.
Strategic Intelligence Guidance
- Run dependency scanning across all JavaScript and TypeScript projects to identify use of expr-eval and expr-eval-fork, prioritizing server-side and AI-integrated services.
- Upgrade to patched versions incorporating Pull Request #288 or migrate to maintained forks that enforce function allowlists and explicit registration.
- Review application inputs that accept user-defined expressions, and implement strong validation and contextual allowlists before passing values into expression parsers.
- Establish policies that treat general-purpose expression and template engines as high-risk components, subject to the same security scrutiny as deserialization libraries and scripting runtimes.