A critical remote code execution vulnerability (CVE-2025-12735) has been discovered in `expr-eval`, a widely used JavaScript library for mathematical expression evaluation. This library is heavily used in AI and Natural Language Processing (NLP) applications to process user input.
Business Impact
Any application using this library to process untrusted user input is vulnerable to complete server takeover. Because it’s a deep dependency in many AI/ML pipelines, organizations may be unaware they are even using it, posing a significant stealthy risk.
Why It Happened
The library’s `evaluate()` method contains a design flaw that allows attackers to define arbitrary functions within the parser’s context. By crafting malicious mathematical input, they can escape the sandbox and execute system-level commands.
Recommended Executive Action
Direct your application security and development teams to immediately scan all codebases (especially those involving AI/NLP) for the `expr-eval` dependency. Upgrade to the latest patched version or migrate to a secure fork immediately.
Hashtags: #SupplyChainSecurity #NPM #JavaScript #Vulnerability #RCE #AppSec #AI #DevSecOps