Primary

Context

expr-eval Library Arbitrary Code Execution Vulnerability

Vulnerability

A vulnerability allowing arbitrary code execution has been identified in the expr-eval library, a JavaScript expression parser and evaluator. This issue arises from inadequate input validation, which allows attackers to pass a manipulated variables object into the evaluate() function, leading to the execution of arbitrary code. The vulnerability is present in versions of the expr-eval library prior to 2.0.3.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the context of the application using the expr-eval library.

Reproduction

To reproduce this vulnerability, use the expr-eval library version 2.0.2 or earlier. Create a new Parser instance and pass a crafted variables object to the evaluate() function. The absence of proper input validation will enable the execution of arbitrary code.

Remediation

Users can upgrade to expr-eval version 2.0.3 or later, where this vulnerability has been addressed.

Added: Nov 5, 2025, 1:18 AM

Updated: Nov 5, 2025, 1:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.4

remediation

0.0

relevance

0.9

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.4

remediation

0.0

relevance

0.9

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

expr-eval Library Arbitrary Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating