A critical **Remote Code Execution (RCE)** vulnerability (CVE pending) was discovered in the widely used JavaScript library **`expr-eval`** (versions < 2.0.2), which evaluates mathematical expressions from untrusted input. The flaw arises from unsafe use of the `new Function()` constructor—equivalent to `eval()`—allowing attackers to inject arbitrary code if an application processes untrusted expressions with custom function registration. With **over 800,000 weekly downloads**, the vulnerability exposes countless projects across web, server-side, and mobile environments to supply-chain attacks.The risk is acute for platforms relying on dynamic expression parsing (e.g., financial calculators, educational tools, gaming logic), where exploitation could lead to **server takeover, data theft, or lateral movement** into connected systems. While a patch (v2.0.2) was released, unpatched deployments remain at high risk. The incident highlights systemic risks in **open-source supply chains**, where a single flawed library can cascade into mass compromises. Developers are urged to audit dependencies, enforce input sanitization, and restrict dynamic code evaluation.
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
"id": "npm1032210111125",
"linkid": "npm-inc-",
"type": "Vulnerability",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '800,000+ weekly consumers '
'(indirect impact)',
'industry': ['Technology',
'Finance',
'Education',
'Gaming',
'General Software Development'],
'location': 'Global (via NPM distribution)',
'name': 'Projects using `expr-eval` < 2.0.2',
'type': ['Open-source projects',
'Commercial applications',
'Enterprise systems']}],
'attack_vector': ['Untrusted Input Injection',
'Custom Function Misuse',
'Dynamic Code Evaluation via `new Function()`'],
'customer_advisories': ['Users of applications leveraging `expr-eval` should '
'verify that vendors have applied the patch (2.0.2+).',
'No direct action required for end-users, but '
'awareness of potential risks in affected platforms '
'is advised.'],
'description': 'A severe vulnerability in the widely used JavaScript library '
'`expr-eval` (versions prior to 2.0.2) allows remote code '
'execution (RCE) due to its handling of custom functions and '
'use of the `new Function()` constructor. The flaw enables '
'attackers to inject malicious input, leading to arbitrary '
'code execution on the server. The library, with over 800,000 '
'weekly downloads on NPM, is embedded in web, server-side, and '
'mobile environments. A patch (version 2.0.2) was released to '
'mitigate the risk by deprecating or altering the misuse of '
'`new Function()` in the parsing logic.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
'applications using `expr-eval`',
'Supply chain vulnerability concerns'],
'operational_impact': ['Potential runtime compromise',
'Risk to critical logic evaluation in '
'financial/educational/gaming platforms'],
'systems_affected': ['Web applications',
'Server-side applications',
'Mobile applications (using `expr-eval`)']},
'initial_access_broker': {'entry_point': ['Untrusted input passed to '
'`expr-eval` evaluator',
'Custom function registration '
'without sanitization'],
'high_value_targets': ['Financial platforms',
'Educational systems',
'Gaming applications '
'(reliant on dynamic '
'expression evaluation)']},
'investigation_status': 'Resolved (patch released; ongoing monitoring '
'recommended)',
'lessons_learned': ['Supply chain vulnerabilities in third-party libraries '
'(e.g., NPM packages) pose significant risks even for '
'widely used, reputable projects.',
'Dynamic code evaluation (e.g., `new Function()`, '
'`eval()`) should be avoided or strictly controlled when '
'processing untrusted input.',
'Open-source libraries with extensibility features (e.g., '
'custom functions) require rigorous security review to '
'prevent misuse.',
'Proactive patching and dependency audits are critical '
'for mitigating cascading risks across ecosystems.'],
'post_incident_analysis': {'corrective_actions': ['Patch to remove/deprecate '
'unsafe `new Function()` '
'usage (version 2.0.2).',
'Developer guidance on '
'secure usage patterns '
'(e.g., input validation, '
'allowlisting).',
'Broader awareness of '
'supply chain risks in '
'JavaScript ecosystems.'],
'root_causes': ['Use of `new Function()` for '
'dynamic expression compilation '
'without safeguards.',
'Lack of input sanitization for '
'custom functions in `expr-eval` < '
'2.0.2.',
'Over-reliance on extensibility '
'features in libraries processing '
'untrusted input.']},
'recommendations': ['Upgrade to `expr-eval` 2.0.2 or later immediately.',
'Implement strict input validation and sanitization for '
'all user-provided expressions.',
'Avoid exposing expression evaluators to untrusted input, '
'especially in high-risk environments (e.g., financial '
'platforms).',
'Conduct regular audits of third-party libraries for '
'dangerous patterns (e.g., dynamic code execution).',
'Use allowlisting for custom functions and restrict '
'extensibility where possible.',
'Monitor NPM or other package registries for security '
'advisories related to dependencies.'],
'references': [{'source': 'Security researchers involved in vulnerability '
'discovery'},
{'source': 'NPM registry (expr-eval package)',
'url': 'https://www.npmjs.com/package/expr-eval'}],
'response': {'communication_strategy': ['Public disclosure of vulnerability '
'and patch',
'Developer advisories for best '
'practices'],
'containment_measures': ['Patch release (version 2.0.2)',
'Deprecation of risky `new Function()` '
'usage'],
'enhanced_monitoring': ['Recommended for applications using '
'`expr-eval`'],
'remediation_measures': ['Upgrade to `expr-eval` 2.0.2+',
'Avoid passing user-controlled input to '
'expression evaluators',
'Audit for `Function` or dynamic '
'interpretation functions',
'Strict input validation and '
'allowlisting for function '
'registration'],
'third_party_assistance': ['Security researchers (discovery)',
'NPM registry (patch distribution)']},
'stakeholder_advisories': ['Developers: Audit and patch dependent projects.',
'Security teams: Review applications for '
'`expr-eval` usage and exposure to untrusted '
'input.',
'Organizations: Assess supply chain risk from '
'third-party JavaScript libraries.'],
'title': 'Remote Code Execution (RCE) Vulnerability in JavaScript Library '
'`expr-eval`',
'type': ['Vulnerability', 'Remote Code Execution (RCE)', 'Supply Chain Risk'],
'vulnerability_exploited': 'CVE-not-yet-assigned (as of description) – RCE '
'via `new Function()` in `expr-eval` < 2.0.2'}