The vulnerability, tracked as CVE-2025-12735, allows attackers to execute arbitrary system commands through maliciously crafted input.
The expr-eval library is a JavaScript tool designed to parse and evaluate mathematical expressions safely, serving as a more secure alternative to JavaScript’s native eval() function.
With over 250 dependent packages, including oplangchain, a JavaScript implementation of the popular LangChain framework, this vulnerability has significant implications for the AI and NLP ecosystem.
Carnegie Mellon University researchers discovered that attackers can define arbitrary functions within the parser’s context object, enabling the injection of malicious code that executes system-level commands.
This vulnerability achieves Total Technical Impact under the SSVC framework, meaning adversaries gain complete control over affected software behavior and can access all system information.
| CVE ID | Affected Package | Vulnerability Type | Patched Version |
|---|---|---|---|
| CVE-2025-12735 | expr-eval, expr-eval-fork | Remote Code Execution | expr-eval-fork v3.0.0 |
The flaw is particularly dangerous for generative AI systems and NLP applications. These systems often run in server environments with access to sensitive local resources and process user-supplied mathematical expressions.
Developers using expr-eval or expr-eval-fork should take immediate action by upgrading to the expr-eval-fork version 3.0.0, which includes comprehensive security patches.
The update introduces an allowlist of safe functions, mandatory registration for custom functions, and enhanced test cases to enforce security constraints.
The vulnerability was responsibly disclosed by security researcher Jangwoo Choe (UKO) and patched through GitHub Pull Request #288.
Organizations can use npm audit to automatically detect this vulnerability in their projects through the GitHub Security Advisory GHSA-jc85-fpwf-qm7x.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution appeared first on Cyber Security News.
It's not every day that you need to shop for formal wear, but when it's…
A newly identified malware campaign is raising serious concerns across the cybersecurity community by delivering…
A newly identified malware campaign is raising serious concerns across the cybersecurity community by delivering…
Security researchers have uncovered a highly sophisticated attack campaign that weaponizes a legitimate, digitally signed…
Security researchers have uncovered a highly sophisticated attack campaign that weaponizes a legitimate, digitally signed…
FORT WAYNE, Ind. (WOWO) — Indiana will see a short-lived stretch of improving and warmer…
This website uses cookies.