An Incredibly Popular JavaScript Library Might Have some Worrying Malware Issues

Summary

Security researcher Jangwoo Choe disclosed a critical remote code execution flaw (CVE‑2025‑12735) in the popular npm JavaScript library expr‑eval, which parses mathematical expressions. The bug, rated 9.8/10, stems from insufficient input validation that lets attackers inject function objects via the variables object, enabling system‑level command execution. All versions up to 2.0.2 are vulnerable; the issue is patched in 2.0.3 and a maintained fork (expr‑eval‑fork 3.0.0) is available. The library, with over 800,000 weekly downloads and used in more than 250 projects, now faces urgent remediation.