Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Posted on By CWS

A essential safety flaw has been found within the extensively used npm bundle expr-eval, doubtlessly exposing AI and pure language processing purposes to distant code execution assaults.

The vulnerability, tracked as CVE-2025-12735, permits attackers to execute arbitrary system instructions by means of maliciously crafted enter.

The expr-eval library is a JavaScript instrument designed to parse and consider mathematical expressions safely, serving as a safer various to JavaScript’s native eval() perform.

With over 250 dependent packages, together with oplangchain, a JavaScript implementation of the favored LangChain framework, this vulnerability has vital implications for the AI and NLP ecosystem.

NPM Library Vulnerability

Carnegie Mellon College researchers found that attackers can outline arbitrary capabilities throughout the parser’s context object, enabling the injection of malicious code that executes system-level instructions.

This vulnerability achieves Whole Technical Influence below the SSVC framework, that means adversaries achieve full management over affected software program habits and might entry all system data.

CVE IDAffected PackageVulnerability TypePatched VersionCVE-2025-12735expr-eval, expr-eval-forkRemote Code Executionexpr-eval-fork v3.0.0

The flaw is especially harmful for generative AI programs and NLP purposes. These programs typically run in server environments with entry to delicate native assets and course of user-supplied mathematical expressions.

Builders utilizing expr-eval or expr-eval-fork ought to take rapid motion by upgrading to the expr-eval-fork model 3.0.0, which incorporates complete safety patches.

The replace introduces an allowlist of protected capabilities, obligatory registration for customized capabilities, and enhanced check instances to implement safety constraints.

The vulnerability was responsibly disclosed by safety researcher Jangwoo Choe (UKO) and patched by means of GitHub Pull Request #288.

Organizations can use npm audit to robotically detect this vulnerability of their tasks by means of the GitHub Safety Advisory GHSA-jc85-fpwf-qm7x.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

European Airport Disruptions Caused by Sophisticated Ransomware Attack Cyber Security News
New WhatsApp Scam Alert Tricks Users to Get Complete Access to Your WhatsApp Chats Cyber Security News
Threat Actors Weaponizes Judicial Documents to Deliver PureHVNC RAT Cyber Security News
McDonald’s AI Hiring Bot With Password ‘123456’ Leaks Millions of Job-Seekers Data Cyber Security News
Interlock Ransomware Employs ClickFix Technique to Run Malicious Commands on Windows Machines Cyber Security News
Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers Cyber Security News