CVE-2025-12735
Published: 05 November 2025
Summary
CVE-2025-12735 is a critical-severity Code Injection (CWE-94) vulnerability in Jorenbroekema Javascript Expression Evaluator. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2025-12735, published on 2025-11-05, affects the expr-eval JavaScript library, an expression parser and evaluator designed to safely process mathematical expressions with user-defined variables. The vulnerability arises from insufficient input validation, enabling an attacker to supply a crafted context object or leverage a MEMBER of the context object within the evaluate() function to trigger arbitrary code execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).
Any unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants arbitrary code execution in the context of the application using the library, resulting in high-impact compromise of confidentiality, integrity, and availability.
Advisories such as GHSA-jc85-fpwf-qm7x and CERT KB 263614 document the issue, while repositories for expr-eval (jorenbroekema/expr-eval and silentmatt/expr-eval) and pull request #288 provide details on patches to address the input validation flaw, recommending updates to mitigated versions of the library.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37820
Vulnerability details
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object…
more
into the evaluate() function and trigger arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated remote code execution in a JavaScript expression evaluator library, directly facilitating T1190 (Exploit Public-Facing Application) via network-accessible input and T1059.007 (JavaScript) for arbitrary code execution through the abused interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by applying patches to the expr-eval library as recommended in advisories GHSA-jc85-fpwf-qm7x and pull request #288.
Enforces validation of crafted context objects and inputs to the evaluate() function to block code injection attempts.
Identifies the CVE-2025-12735 vulnerability in expr-eval library dependencies through periodic scanning and monitoring.