[GHSA-jc85-fpwf-qm7x] expr-eval does not restrict functions passed to the evaluate function

[alecasg555]

Updates

• Affected products

Comments

Mitigation Solution: safe-expr-eval

I've developed safe-expr-eval as a secure drop-in replacement that completely addresses CVE-2025-12735 while maintaining 100% API compatibility with expr-eval.

Why safe-expr-eval is secure:

✅ No eval() - Never uses JavaScript's dangerous eval() function
✅ No Function constructor - Doesn't dynamically create executable code
✅ Token-based parsing - Expressions are parsed into safe tokens and evaluated in a controlled environment
✅ Type-safe - Built with TypeScript for additional security guarantees
✅ Zero dependencies - Minimal attack surface

Migration is trivial:

// Before (vulnerable)
const { Parser } = require('expr-eval');

// After (secure)
const { Parser } = require('safe-expr-eval');

// That's it! All your existing code works unchanged.

[yhidad31]

Hi @alecasg555, thank you for your contribution and for developing safe-expr-eval as a potential alternative.

Unfortunately, we cannot accept this change. The GitHub Advisory Database tracks vulnerabilities in specific packages and their patched versions, so the patched version field must refer to a version of the same affected package where the vulnerability has been addressed, not a different package entirely. Recommending migration to a separate package (even one with a compatible API) falls outside the scope of what we can represent in this advisory.

If expr-eval releases a version that addresses CVE-2025-12735, we'd welcome an update to the advisory with that information. In the meantime, you might consider reaching out to the expr-eval maintainers and contributing the fix upstream.

Thank you for your understanding and your effort to help the community stay secure!