Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution

Posted on By CWS

A essential safety flaw has been found within the extensively used npm bundle expr-eval, doubtlessly exposing AI and pure language processing purposes to distant code execution assaults.

The vulnerability, tracked as CVE-2025-12735, permits attackers to execute arbitrary system instructions by means of maliciously crafted enter.

The expr-eval library is a JavaScript instrument designed to parse and consider mathematical expressions safely, serving as a safer various to JavaScript’s native eval() perform.

With over 250 dependent packages, together with oplangchain, a JavaScript implementation of the favored LangChain framework, this vulnerability has vital implications for the AI and NLP ecosystem.

NPM Library Vulnerability

Carnegie Mellon College researchers found that attackers can outline arbitrary capabilities throughout the parser’s context object, enabling the injection of malicious code that executes system-level instructions.

This vulnerability achieves Whole Technical Influence below the SSVC framework, that means adversaries achieve full management over affected software program habits and might entry all system data.

CVE IDAffected PackageVulnerability TypePatched VersionCVE-2025-12735expr-eval, expr-eval-forkRemote Code Executionexpr-eval-fork v3.0.0

The flaw is especially harmful for generative AI programs and NLP purposes. These programs typically run in server environments with entry to delicate native assets and course of user-supplied mathematical expressions.

Builders utilizing expr-eval or expr-eval-fork ought to take rapid motion by upgrading to the expr-eval-fork model 3.0.0, which incorporates complete safety patches.

The replace introduces an allowlist of protected capabilities, obligatory registration for customized capabilities, and enhanced check instances to implement safety constraints.

The vulnerability was responsibly disclosed by safety researcher Jangwoo Choe (UKO) and patched by means of GitHub Pull Request #288.

Organizations can use npm audit to robotically detect this vulnerability of their tasks by means of the GitHub Safety Advisory GHSA-jc85-fpwf-qm7x.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

GitLab SSRF Vulnerability Exploited: CISA Issues Warning GitLab SSRF Vulnerability Exploited: CISA Issues Warning Cyber Security News
Chinese Hackers Weaponized Nezha Tool to Execute Commands on Web Server Chinese Hackers Weaponized Nezha Tool to Execute Commands on Web Server Cyber Security News
20 Best SNMP Monitoring Tools in 2025 20 Best SNMP Monitoring Tools in 2025 Cyber Security News
Microsoft Defender XDR New Advanced Hunting Tables for Email and Cloud Protections Microsoft Defender XDR New Advanced Hunting Tables for Email and Cloud Protections Cyber Security News
Critical Linux Kernel Flaw Grants Root Access Easily Critical Linux Kernel Flaw Grants Root Access Easily Cyber Security News
Threat Actor Exploited Multiple FortiWeb Appliances to Deploy Sliver C2 for Persistent Access Threat Actor Exploited Multiple FortiWeb Appliances to Deploy Sliver C2 for Persistent Access Cyber Security News