November 10, 2025 By Bill Toulas
A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input.
The security issue was discovered by security researcher Jangwoo Choe and is tracked as CVE-2025-12735. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the severity rating is critical, with a score of 9.8.
Originally developed by Matthew Crumley, expr-eval is a small JavaScript expression parser and evaluator, used in projects that require safe parsing and computation of user-supplied mathematical expressions at runtime.
Examples include online calculators, educational suites, simulation tools, financial tools, and, more recently, AI and natural language processing (NLP) systems that parse mathematical expressions from text prompts.
