A popular expression evaluator library contains a critical vulnerability (CVSS 9.8) that could allow remote code execution and complete system compromise.
The JavaScript Expression Evaluator package receives about 800,000 weekly downloads and is used in roughly 250 projects, including calculators, learning apps, and AI tools.
The vulnerability stems from improper sandboxing in the evaluate() and compile() functions. Due to insufficient input validation, attackers can inject crafted expressions that escape the sandbox and execute arbitrary code.
According to a Wiz advisory this poses a significant security risk, as it could potentially allow full compromise of any application using the vulnerable library.
A detailed breakdown of the vulnerability was published by the CERT Coordination Center over the weekend.
The security researchers who found the vulnerability attempted to reach the original developers, but were unable to do so, Wiz reports.
A community-maintained fork, expr-eval-fork, has been released with a patch. Developers using expr-eval should migrate immediately.
“Users are advised to switch to the patched version expr-eval-fork available on NPM (GitHub PR, NPM Fork),” Wiz recommends.
