Description
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
Published: 2026-06-23
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the expr‑eval library’s toJSFunction API, which converts user‑supplied expression strings into native JavaScript code via new Function. Because the conversion occurs without sanitisation, an attacker can supply a crafted expression that turns into executable JavaScript, escaping the intended sandbox. The result is arbitrary code execution within the process that loads the library, as defined by the CWE‑94 and CWE‑917 classifications.

Affected Systems

All released versions of expr‑eval, a JavaScript expression evaluator library commonly used in web and Node.js applications, are affected. Any project that imports the npm package expr‑eval and exposes the toJSFunction interface to untrusted input, regardless of vendor, is vulnerable. The issue is present across all major releases up to and including the latest published version at the time of disclosure.

Risk and Exploitability

The CVSS score of 9.2 categorises the flaw as critical, signalling that exploitation would grant full control over the target environment. The EPSS score of 0.00454 indicates a very low exploitation probability. The absence of a KEV listing does not reduce the urgency, because the flaw permits direct execution. Attackers would most likely target applications that evaluate expressions from external sources, such as user‑configurable scripts or validation rules; the code path is reachable as soon as toJSFunction is called with crafted input.

Generated by OpenCVE AI on June 25, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the expr‑eval library to the most recent release that removes or hardens the toJSFunction API; the patch is available in the GitHub repository and the npm registry.
  • If the application cannot be updated, refactor the code to eliminate calls to toJSFunction, or replace it with a safely configured alternative that does not execute arbitrary JavaScript.
  • Apply strict input validation or a whitelist of permissible operators before passing expressions to the library, ensuring that only non‑executable fragments are allowed.

Generated by OpenCVE AI on June 25, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
References

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Code Execution Vulnerability in Expr-eval toJSFunction API expr-eval: expr-eval: Code Execution via crafted expressions in toJSFunction() API
Weaknesses CWE-917
References
Metrics threat_severity

None

threat_severity

Low


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Silentmatt
Silentmatt expr-eval
Vendors & Products Silentmatt
Silentmatt expr-eval

Tue, 23 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Code Execution Vulnerability in Expr-eval toJSFunction API

Tue, 23 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Silentmatt Expr-eval
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-07-07T18:18:02.410Z

Reserved: 2026-06-22T08:22:34.991Z

Link: CVE-2026-12866

cve-icon Vulnrichment

Updated: 2026-06-23T12:05:41.966Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-23T05:00:00Z

Links: CVE-2026-12866 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:15:03Z

Weaknesses
  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')