{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12735", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2025-11-05T00:04:49.648Z", "datePublished": "2025-11-05T00:22:55.297Z", "dateUpdated": "2025-11-22T23:45:45.512Z"}, "containers": {"cna": {"title": "CVE-2025-12735", "descriptions": [{"lang": "en", "value": "The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution."}], "source": {"discovery": "EXTERNAL"}, "affected": [{"vendor": "silentmatt", "product": "expr-eval", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "2.0.2", "versionType": "semver"}]}, {"vendor": "expr-eval-fork", "product": "expr-eval-fork", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.0.0", "versionType": "semver"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code (\u2018Code Injection\u2019)"}]}, {"descriptions": [{"lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u2018Prototype Pollution\u2019)"}]}], "metrics": [{"other": {"type": "ssvcV2_0_0", "content": {"timestamp": "2025-11-07T15:47:01.238Z", "schemaVersion": "2.0.0", "selections": [{"values": [{"key": "P", "name": "Public PoC"}], "name": "Exploitation", "version": "1.1.0", "namespace": "ssvc", "definition": "The present state of exploitation of the vulnerability.", "key": "E"}, {"values": [{"key": "Y", "name": "Yes"}], "name": "Automatable", "version": "2.0.0", "namespace": "ssvc", "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", "key": "A"}, {"values": [{"key": "T", "name": "Total"}], "name": "Technical Impact", "version": "1.0.0", "namespace": "ssvc", "definition": "The technical impact of the vulnerability.", "key": "TI"}]}}}], "references": [{"url": "https://github.com/silentmatt/expr-eval"}, {"url": "https://github.com/jorenbroekema/expr-eval"}, {"url": "https://www.npmjs.com/package/expr-eval-fork"}, {"url": "https://www.npmjs.com/package/expr-eval"}, {"url": "https://github.com/silentmatt/expr-eval/pull/288"}, {"url": "https://github.com/advisories/GHSA-jc85-fpwf-qm7x", "name": "Github Security Advisory", "tags": ["third-party-advisory"]}, {"url": "https://kb.cert.org/vuls/id/263614", "name": "CERT/CC Advisory", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "This issue was reported by Jangwoo Choe (UKO)", "type": "finder"}, {"lang": "en", "value": "Patch validation assistance provided by GitHub user huydoppaz.", "type": "remediation verifier"}], "x_generator": {"engine": "VINCE 3.0.28", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12735"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2025-11-22T23:45:45.512Z"}}, "adp": [{"references": [{"url": "https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T14:06:48.027568Z", "id": "CVE-2025-12735", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:07:11.995Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/263614"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-08T00:11:55.078Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/263614"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-08T00:11:55.078Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-12735", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-10T14:06:48.027568Z"}}}], "references": [{"url": "https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T18:57:21.585Z"}}], "cna": {"title": "CVE-2025-12735", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "This issue was reported by Jangwoo Choe (UKO)"}, {"lang": "en", "type": "remediation verifier", "value": "Patch validation assistance provided by GitHub user huydoppaz."}], "metrics": [{"other": {"type": "ssvcV2_0_0", "content": {"timestamp": "2025-11-07T15:47:01.238Z", "selections": [{"key": "E", "name": "Exploitation", "values": [{"key": "P", "name": "Public PoC"}], "version": "1.1.0", "namespace": "ssvc", "definition": "The present state of exploitation of the vulnerability."}, {"key": "A", "name": "Automatable", "values": [{"key": "Y", "name": "Yes"}], "version": "2.0.0", "namespace": "ssvc", "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?"}, {"key": "TI", "name": "Technical Impact", "values": [{"key": "T", "name": "Total"}], "version": "1.0.0", "namespace": "ssvc", "definition": "The technical impact of the vulnerability."}], "schemaVersion": "2.0.0"}}}], "affected": [{"vendor": "silentmatt", "product": "expr-eval", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.2"}]}, {"vendor": "expr-eval-fork", "product": "expr-eval-fork", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}]}], "references": [{"url": "https://github.com/silentmatt/expr-eval"}, {"url": "https://github.com/jorenbroekema/expr-eval"}, {"url": "https://www.npmjs.com/package/expr-eval-fork"}, {"url": "https://www.npmjs.com/package/expr-eval"}, {"url": "https://github.com/silentmatt/expr-eval/pull/288"}, {"url": "https://github.com/advisories/GHSA-jc85-fpwf-qm7x", "name": "Github Security Advisory", "tags": ["third-party-advisory"]}, {"url": "https://kb.cert.org/vuls/id/263614", "name": "CERT/CC Advisory", "tags": ["third-party-advisory"]}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.28", "origin": "https://cveawg.mitre.org/api/cve/CVE-2025-12735"}, "descriptions": [{"lang": "en", "value": "The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code (\u2018Code Injection\u2019)"}]}, {"descriptions": [{"lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u2018Prototype Pollution\u2019)"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2025-11-22T23:45:45.512Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12735", "state": "PUBLISHED", "dateUpdated": "2025-11-22T23:45:45.512Z", "dateReserved": "2025-11-05T00:04:49.648Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2025-11-05T00:22:55.297Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution."}], "id": "CVE-2025-12735", "lastModified": "2025-11-20T16:15:56.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-05T01:15:33.313", "references": [{"source": "cret@cert.org", "url": "https://github.com/advisories/GHSA-jc85-fpwf-qm7x"}, {"source": "cret@cert.org", "url": "https://github.com/jorenbroekema/expr-eval"}, {"source": "cret@cert.org", "url": "https://github.com/silentmatt/expr-eval"}, {"source": "cret@cert.org", "url": "https://github.com/silentmatt/expr-eval/pull/288"}, {"source": "cret@cert.org", "url": "https://kb.cert.org/vuls/id/263614"}, {"source": "cret@cert.org", "url": "https://www.npmjs.com/package/expr-eval"}, {"source": "cret@cert.org", "url": "https://www.npmjs.com/package/expr-eval-fork"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/263614"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/jorenbroekema/expr-eval/blob/460b820ba01c5aca6c5d84a7d4f1fa5d1913c67b/test/security.js"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "expr-eval:", "id": "2412409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2412409"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-917", "details": ["The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.", "A vulnerability was discovered in the expr-eval npm package, a JavaScript library used to parse and evaluate mathematical expressions. The issue allows an attacker to define arbitrary functions within the context object used by the parser's evaluate() method. By providing maliciously crafted input, an attacker can exploit this flaw to inject and execute arbitrary system-level commands on the host system. This could lead to the execution of malicious code."], "name": "CVE-2025-12735", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2025-11-05T00:22:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-12735\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-12735\nhttps://github.com/jorenbroekema/expr-eval\nhttps://github.com/silentmatt/expr-eval\nhttps://github.com/silentmatt/expr-eval/pull/288\nhttps://www.npmjs.com/package/expr-eval\nhttps://www.npmjs.com/package/expr-eval-fork"], "statement": "Although expr-eval is listed as a bundled dependency in grafana-pcp in RHEL 8, the library is not present in the compiled JavaScript bundle and the vulnerable code does not execute.", "threat_severity": "Critical"}

{"created": "2025-11-05T10:47:04.324060+00:00", "updated": "2025-11-05T10:47:04.324092+00:00", "vendors": ["expr-eval_project", "expr-eval_project$PRODUCT$expr-eval"]}