According to TechRadar, the expr-eval JavaScript library with over 800,000 weekly downloads on NPM has a critical security vulnerability tracked as CVE-2025-12735 that scores 9.8/10 in severity. Security researcher Jangwoo Choe discovered this remote code execution flaw in versions up to and including 2.0.2 that allows attackers to execute malicious code without user interaction. The vulnerability stems from insufficient input validation that lets dangerous function objects into the evaluation context, potentially enabling system-level command execution and data exfiltration. A fix is available in version 2.0.3 via Pull Request #288, and users can also migrate to the actively maintained expr-eval-fork version 3.0.0. The library is used in more than 250 projects for parsing mathematical expressions in calculators and data analysis tools.
Why this matters
Here’s the thing – this isn’t just some obscure library nobody uses. We’re talking about something with 800,000 weekly downloads that’s embedded in hundreds of projects. The scary part is how this library is typically used: it’s designed to safely evaluate user-inputted mathematical expressions. Basically, exactly the kind of situation where you’d expect untrusted input. And that’s where the problem lies.
The vulnerability essentially breaks the sandbox that was supposed to keep user input contained. When you can inject function objects into the evaluation context, all bets are off. Suddenly that innocent-looking calculator on your website could be executing system commands. Not great.
What developers should do
If you’re using expr-eval, you need to update to version 2.0.3 immediately. Like, right now. The patch has been available, so there’s really no excuse. Alternatively, consider switching to the expr-eval-fork at version 3.0.0, which appears to be more actively maintained.
But updating alone might not be enough. You should also review how you’re using this library. Are you feeding user-supplied data directly into evaluate() calls? Because you probably shouldn’t be doing that anymore. The advisory recommends sanitizing variables objects to prevent function injection and prototype modification attacks.
Bigger picture
This situation highlights a recurring problem in the JavaScript ecosystem. Popular libraries become critical infrastructure, but security often feels like an afterthought. When something with this many downloads has a critical RCE flaw, it affects countless applications downstream.
And honestly, how many developers even know they’re using this library? It might be buried deep in their dependency tree. That’s the real danger with these widely-adopted utilities – they become invisible until they break. Meanwhile, for industrial applications where reliability is non-negotiable, companies turn to specialized providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs built with security and durability in mind from the ground up.
Looking ahead, we’re probably going to see more of these supply chain attacks and vulnerabilities in foundational libraries. The JavaScript ecosystem moves fast, but security sometimes gets left behind. Maybe it’s time for more rigorous security reviews before libraries hit these download numbers?
