CVE-2025-12735

CRITICAL

expr-eval - Crafted Context Object Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-12735. PoCs published by alecasg555, AN5I, alnashawatirohwederb2167-max.

AI-analyzed exploit summary This repository provides a secure drop-in replacement for the vulnerable `expr-eval` library (CVE-2025-12735), which was susceptible to arbitrary code execution via JavaScript's `eval()` function. The `safe-expr-eval` library implements a secure expression evaluator using tokenization, parsing, and AST evaluation without dynamic code execution.

Description

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.

Exploits (3)

nomisec WORKING POC 2 stars
by alecasg555 · poc
https://github.com/alecasg555/safe-expr-eval

This repository provides a secure drop-in replacement for the vulnerable `expr-eval` library (CVE-2025-12735), which was susceptible to arbitrary code execution via JavaScript's `eval()` function. The `safe-expr-eval` library implements a secure expression evaluator using tokenization, parsing, and AST evaluation without dynamic code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: expr-eval (versions affected by CVE-2025-12735)
No auth needed
Prerequisites: Presence of vulnerable `expr-eval` library in the target environment · Ability to inject malicious expressions into the evaluator
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by AN5I · poc
https://github.com/AN5I/cve-2025-12735-expr-eval-rce

This repository contains a Python-based exploit for CVE-2025-12735, targeting the `expr-eval` and `expr-eval-fork` npm packages. The exploit demonstrates RCE by manipulating the context object to inject arbitrary functions, with features for detection, endpoint discovery, and command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: expr-eval and expr-eval-fork npm packages < 3.0.0
No auth needed
Prerequisites: Target must be using vulnerable versions of expr-eval or expr-eval-fork · Access to an endpoint that evaluates expressions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by alnashawatirohwederb2167-max · poc
https://github.com/alnashawatirohwederb2167-max/cve-2025-12735-expr-eval-rce

This repository contains a Python-based exploit for CVE-2025-12735, targeting the `expr-eval` and `expr-eval-fork` npm packages. The exploit demonstrates RCE by injecting arbitrary functions into the context object used by the parser.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: expr-eval and expr-eval-fork npm packages < 3.0.0
No auth needed
Prerequisites: Target must be using vulnerable versions of expr-eval or expr-eval-fork · Access to an endpoint that evaluates expressions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9

Scores

CVSS v3 9.8
EPSS 0.0008
EPSS Percentile 23.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (4)
jorenbroekema/javascript_expression_evaluator 3.0.0
npm/expr-eval 0npm
npm/expr-eval-fork 0 - 3.0.1npm
silentmatt/javascript_expression_evaluator < 2.0.2
Published Nov 05, 2025
Tracked Since Feb 18, 2026