“`html

critical ​Remote Code Execution Vulnerability in expr-eval JavaScript Library

A critical vulnerability ‌in the popular expr-eval JavaScript ​library, with over ⁣800,000 weekly ‍downloads ⁤on ‍NPM, can be​ exploited to execute code remotely through maliciously crafted​ input.

The security issue‌ was discovered⁣ by security researcher Jangwoo Choe and is tracked as​ CVE-2025-12735. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the severity rating is critical, with a⁣ score⁣ of 9.8.

Originally developed by Matthew Crumley,expr-eval is a small ‍JavaScript expression parser and evaluator, used in projects​ that require safe parsing and computation of user-supplied mathematical expressions at runtime.

Examples​ include online calculators, educational ‍suites, simulation tools, financial tools, and, more recently, AI and natural language processing⁤ (NLP) systems‌ that parse mathematical expressions from text prompts.

In an advisory over the weekend, the CERT Coordination Center (CERT-CC) for Carnegie Mellon’s Software engineering Institute (SEI) says that the vulnerability is