Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Posted on By CWS

A essential safety flaw has been found within the extensively used npm bundle expr-eval, doubtlessly exposing AI and pure language processing purposes to distant code execution assaults.

The vulnerability, tracked as CVE-2025-12735, permits attackers to execute arbitrary system instructions by means of maliciously crafted enter.

The expr-eval library is a JavaScript instrument designed to parse and consider mathematical expressions safely, serving as a safer various to JavaScript’s native eval() perform.

With over 250 dependent packages, together with oplangchain, a JavaScript implementation of the favored LangChain framework, this vulnerability has vital implications for the AI and NLP ecosystem.

NPM Library Vulnerability

Carnegie Mellon College researchers found that attackers can outline arbitrary capabilities throughout the parser’s context object, enabling the injection of malicious code that executes system-level instructions.

This vulnerability achieves Whole Technical Influence below the SSVC framework, that means adversaries achieve full management over affected software program habits and might entry all system data.

CVE IDAffected PackageVulnerability TypePatched VersionCVE-2025-12735expr-eval, expr-eval-forkRemote Code Executionexpr-eval-fork v3.0.0

The flaw is especially harmful for generative AI programs and NLP purposes. These programs typically run in server environments with entry to delicate native assets and course of user-supplied mathematical expressions.

Builders utilizing expr-eval or expr-eval-fork ought to take rapid motion by upgrading to the expr-eval-fork model 3.0.0, which incorporates complete safety patches.

The replace introduces an allowlist of protected capabilities, obligatory registration for customized capabilities, and enhanced check instances to implement safety constraints.

The vulnerability was responsibly disclosed by safety researcher Jangwoo Choe (UKO) and patched by means of GitHub Pull Request #288.

Organizations can use npm audit to robotically detect this vulnerability of their tasks by means of the GitHub Safety Advisory GHSA-jc85-fpwf-qm7x.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

Dropping Elephant Hacker Group Attacks Defense Sector Using Python Backdoor via MSBuild Dropper Dropping Elephant Hacker Group Attacks Defense Sector Using Python Backdoor via MSBuild Dropper Cyber Security News
LegalPwn Attack Exploits Gemini, ChatGPT and other AI Tools into Executing Malware LegalPwn Attack Exploits Gemini, ChatGPT and other AI Tools into Executing Malware Cyber Security News
Tenable, Qualys, Workday Data Breaches and Security Updates Tenable, Qualys, Workday Data Breaches and Security Updates Cyber Security News
AWS US-EAST-1 Region Experiences Delays in EC2 Instance Deployments AWS US-EAST-1 Region Experiences Delays in EC2 Instance Deployments Cyber Security News
SolarWinds Web Help Desk Vulnerability Enables Unauthenticated RCE SolarWinds Web Help Desk Vulnerability Enables Unauthenticated RCE Cyber Security News
Multi-Stage Windows Malware Invokes PowerShell Downloader Using Text-based Payloads Using Remote Host Multi-Stage Windows Malware Invokes PowerShell Downloader Using Text-based Payloads Using Remote Host Cyber Security News