Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-jc85-fpwf-qm7x

GitHub Security Advisory

expr-eval does not restrict functions passed to the evaluate function

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.

Affected Packages

npm expr-eval
Affected versions: 0 (last affected: 2.0.2)
npm expr-eval-fork
Affected versions: 0 (last affected: 3.0.0)

Related CVEs

CVE-2025-12735

Key Information

GHSA ID
GHSA-jc85-fpwf-qm7x
Published
November 5, 2025 3:30 AM
Last Modified
November 21, 2025 4:52 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
expr-eval
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.