Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Posted on By CWS

A essential safety flaw has been found within the extensively used npm bundle expr-eval, doubtlessly exposing AI and pure language processing purposes to distant code execution assaults.

The vulnerability, tracked as CVE-2025-12735, permits attackers to execute arbitrary system instructions by means of maliciously crafted enter.

The expr-eval library is a JavaScript instrument designed to parse and consider mathematical expressions safely, serving as a safer various to JavaScript’s native eval() perform.

With over 250 dependent packages, together with oplangchain, a JavaScript implementation of the favored LangChain framework, this vulnerability has vital implications for the AI and NLP ecosystem.

NPM Library Vulnerability

Carnegie Mellon College researchers found that attackers can outline arbitrary capabilities throughout the parser’s context object, enabling the injection of malicious code that executes system-level instructions.

This vulnerability achieves Whole Technical Influence below the SSVC framework, that means adversaries achieve full management over affected software program habits and might entry all system data.

CVE IDAffected PackageVulnerability TypePatched VersionCVE-2025-12735expr-eval, expr-eval-forkRemote Code Executionexpr-eval-fork v3.0.0

The flaw is especially harmful for generative AI programs and NLP purposes. These programs typically run in server environments with entry to delicate native assets and course of user-supplied mathematical expressions.

Builders utilizing expr-eval or expr-eval-fork ought to take rapid motion by upgrading to the expr-eval-fork model 3.0.0, which incorporates complete safety patches.

The replace introduces an allowlist of protected capabilities, obligatory registration for customized capabilities, and enhanced check instances to implement safety constraints.

The vulnerability was responsibly disclosed by safety researcher Jangwoo Choe (UKO) and patched by means of GitHub Pull Request #288.

Organizations can use npm audit to robotically detect this vulnerability of their tasks by means of the GitHub Safety Advisory GHSA-jc85-fpwf-qm7x.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

Beware of Weaponized AI Tool Installers That Infect Your Devices With Ransomware Cyber Security News
How To Get Real-Time IOCs From Incidents Across 15K SOCs  Cyber Security News
New Salty 2FA PhaaS platform Attacking Microsoft 365 Users to Steal Login Credentials Cyber Security News
Microsoft Defender Vulnerability Allows Attackers to Elevate Privileges Cyber Security News
Gemini CLI Vulnerability Allows Hackers to Execute Malicious Commands on Developer Systems Cyber Security News
Microsoft Unveils European Security Initiative to Target Cybercriminal Networks Cyber Security News