Cyber Resilience

CVE-2025-12735

CriticalRCE

Published: 05 November 2025

Published
05 November 2025
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12735 is a critical-severity Code Injection (CWE-94) vulnerability in Jorenbroekema Javascript Expression Evaluator. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-12735, published on 2025-11-05, affects the expr-eval JavaScript library, an expression parser and evaluator designed to safely process mathematical expressions with user-defined variables. The vulnerability arises from insufficient input validation, enabling an attacker to supply a crafted context object or leverage a MEMBER of the context object within the evaluate() function to trigger arbitrary code execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).

Any unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants arbitrary code execution in the context of the application using the library, resulting in high-impact compromise of confidentiality, integrity, and availability.

Advisories such as GHSA-jc85-fpwf-qm7x and CERT KB 263614 document the issue, while repositories for expr-eval (jorenbroekema/expr-eval and silentmatt/expr-eval) and pull request #288 provide details on patches to address the input validation flaw, recommending updates to mitigated versions of the library.

EU & UK References

Vulnerability details

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object…

more

into the evaluate() function and trigger arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Vulnerability enables unauthenticated remote code execution in a JavaScript expression evaluator library, directly facilitating T1190 (Exploit Public-Facing Application) via network-accessible input and T1059.007 (JavaScript) for arbitrary code execution through the abused interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25887Shared CWE-94
CVE-2026-41507Shared CWE-94
CVE-2025-23061Shared CWE-94
CVE-2026-43997Shared CWE-94
CVE-2026-1615Shared CWE-94
CVE-2026-33943Shared CWE-94
CVE-2026-33881Shared CWE-94
CVE-2026-4800Shared CWE-94
CVE-2026-25141Shared CWE-94
CVE-2025-26260Shared CWE-94

Affected Assets

jorenbroekema
javascript expression evaluator
3.0.0
silentmatt
javascript expression evaluator
≤ 2.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by applying patches to the expr-eval library as recommended in advisories GHSA-jc85-fpwf-qm7x and pull request #288.

prevent

Enforces validation of crafted context objects and inputs to the evaluate() function to block code injection attempts.

detect

Identifies the CVE-2025-12735 vulnerability in expr-eval library dependencies through periodic scanning and monitoring.

References