CVE-2025-13204
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/11/2025
Last modified:
08/01/2026
Description
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
Impact
Base Score 3.x
7.30
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:silentmatt:javascript_expression_evaluator:*:*:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py
- https://github.com/jorenbroekema/expr-eval
- https://github.com/silentmatt/expr-eval
- https://github.com/silentmatt/expr-eval/pull/252/files
- https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py
- https://www.huntr.dev/bounties/1-npm-expr-eval/
- https://www.npmjs.com/package/expr-eval-fork