{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13204", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2025-11-14T16:52:35.957Z", "datePublished": "2025-11-14T17:02:39.529Z", "dateUpdated": "2025-11-14T17:02:39.529Z"}, "containers": {"cna": {"title": "CVE-2025-13204", "descriptions": [{"lang": "en", "value": "npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue."}], "source": {"discovery": "EXTERNAL"}, "affected": [{"vendor": "silentmatt", "product": "expr-eval", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "2.0.2", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "references": [{"url": "https://www.npmjs.com/package/expr-eval-fork"}, {"url": "https://github.com/silentmatt/expr-eval"}, {"url": "https://github.com/jorenbroekema/expr-eval"}], "x_generator": {"engine": "VINCE 3.0.28", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2025-13204"}, "metrics": [{"other": {"type": "ssvcV2_0_0", "content": {"timestamp": "2025-11-07T15:47:01.238Z", "schemaVersion": "2.0.0", "selections": [{"values": [{"key": "P", "name": "Public PoC"}], "name": "Exploitation", "version": "1.1.0", "namespace": "ssvc", "definition": "The present state of exploitation of the vulnerability.", "key": "E"}, {"values": [{"key": "Y", "name": "Yes"}], "name": "Automatable", "version": "2.0.0", "namespace": "ssvc", "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", "key": "A"}, {"values": [{"key": "T", "name": "Total"}], "name": "Technical Impact", "version": "1.0.0", "namespace": "ssvc", "definition": "The technical impact of the vulnerability.", "key": "TI"}]}}}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2025-11-14T17:02:39.529Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue."}], "id": "CVE-2025-13204", "lastModified": "2025-11-14T17:16:01.603", "metrics": {}, "published": "2025-11-14T17:16:01.603", "references": [{"source": "cret@cert.org", "url": "https://github.com/jorenbroekema/expr-eval"}, {"source": "cret@cert.org", "url": "https://github.com/silentmatt/expr-eval"}, {"source": "cret@cert.org", "url": "https://www.npmjs.com/package/expr-eval-fork"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Received"}

{}

{}