Description
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
Published: 2026-06-23
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the expr-eval library’s toJSFunction API, which converts user‑supplied expression strings into native JavaScript code via new Function. Because the conversion occurs without sanitisation, an attacker can supply a crafted expression that turns into executable JavaScript, escaping the intended sandbox. The result is arbitrary code execution within the process that loads the library, as defined by the CWE‑94 classification.

Affected Systems

All released versions of expr‑eval, a JavaScript expression evaluator library commonly used in web and Node.js applications, are affected. Any project that imports the npm package expr‑eval and exposes the toJSFunction interface to untrusted input, regardless of vendor, is vulnerable. The issue is present across all major releases up to and including the latest published version at the time of disclosure.

Risk and Exploitability

The CVSS score of 9.2 categorises the flaw as critical, signalling that exploitation would grant full control over the target environment. The EPSS score is not available, so the current exploitation probability cannot be quantified, yet the absence of a KEV listing does not reduce the urgency, because the flaw permits direct execution. Attackers would most likely target applications that evaluate expressions from external sources, such as user‑configurable scripts or validation rules; the code path is reachable as soon as toJSFunction is called with crafted input.

Generated by OpenCVE AI on June 23, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the expr‑eval library to the most recent release that removes or hardens the toJSFunction API; the patch is available in the GitHub repository and the npm registry.
  • If the application cannot be updated, refactor the code to eliminate calls to toJSFunction, or replace it with a safely configured alternative that does not execute arbitrary JavaScript.
  • Apply strict input validation or a whitelist of permissible operators before passing expressions to the library, ensuring that only non‑executable fragments are allowed.

Generated by OpenCVE AI on June 23, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Code Execution Vulnerability in Expr-eval toJSFunction API

Tue, 23 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-06-23T05:00:00.763Z

Reserved: 2026-06-22T08:22:34.991Z

Link: CVE-2026-12866

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T06:30:16Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')