Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Posted on By CWS

A essential safety flaw has been found within the extensively used npm bundle expr-eval, doubtlessly exposing AI and pure language processing purposes to distant code execution assaults.

The vulnerability, tracked as CVE-2025-12735, permits attackers to execute arbitrary system instructions by means of maliciously crafted enter.

The expr-eval library is a JavaScript instrument designed to parse and consider mathematical expressions safely, serving as a safer various to JavaScript’s native eval() perform.

With over 250 dependent packages, together with oplangchain, a JavaScript implementation of the favored LangChain framework, this vulnerability has vital implications for the AI and NLP ecosystem.

NPM Library Vulnerability

Carnegie Mellon College researchers found that attackers can outline arbitrary capabilities throughout the parser’s context object, enabling the injection of malicious code that executes system-level instructions.

This vulnerability achieves Whole Technical Influence below the SSVC framework, that means adversaries achieve full management over affected software program habits and might entry all system data.

CVE IDAffected PackageVulnerability TypePatched VersionCVE-2025-12735expr-eval, expr-eval-forkRemote Code Executionexpr-eval-fork v3.0.0

The flaw is especially harmful for generative AI programs and NLP purposes. These programs typically run in server environments with entry to delicate native assets and course of user-supplied mathematical expressions.

Builders utilizing expr-eval or expr-eval-fork ought to take rapid motion by upgrading to the expr-eval-fork model 3.0.0, which incorporates complete safety patches.

The replace introduces an allowlist of protected capabilities, obligatory registration for customized capabilities, and enhanced check instances to implement safety constraints.

The vulnerability was responsibly disclosed by safety researcher Jangwoo Choe (UKO) and patched by means of GitHub Pull Request #288.

Organizations can use npm audit to robotically detect this vulnerability of their tasks by means of the GitHub Safety Advisory GHSA-jc85-fpwf-qm7x.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

X-VPN’s August Update Lets Mobile Users Choose Servers in 26 Regions with Military-grade AES-256 Encryption X-VPN’s August Update Lets Mobile Users Choose Servers in 26 Regions with Military-grade AES-256 Encryption Cyber Security News
DNN Vulnerability Let Attackers Steal NTLM Credentials via Unicode Normalization Bypass DNN Vulnerability Let Attackers Steal NTLM Credentials via Unicode Normalization Bypass Cyber Security News
Google Releases Guide to Harden Security Strategy and Detection Capabilities Against UNC6040 Google Releases Guide to Harden Security Strategy and Detection Capabilities Against UNC6040 Cyber Security News
10 Best Cloud Monitoring Tools in 2025 10 Best Cloud Monitoring Tools in 2025 Cyber Security News
Threat Actors Leverage Google Apps Script To Host Phishing Websites Threat Actors Leverage Google Apps Script To Host Phishing Websites Cyber Security News
Microsoft 365 Copilot Prompt Injection Vulnerability Allows Attackers to Exfiltrate Sensitive Data Microsoft 365 Copilot Prompt Injection Vulnerability Allows Attackers to Exfiltrate Sensitive Data Cyber Security News