A critical security flaw has been identified in the widely utilized npm package expr-eval, which potentially exposes applications in artificial intelligence and natural language processing to remote code execution attacks. Tracked under CVE-2025-12735, this vulnerability enables attackers to execute arbitrary system commands through maliciously crafted inputs, making it crucial for developers to address this issue promptly. The expr-eval library, used to parse and evaluate mathematical expressions, serves as a safer alternative to JavaScript’s eval() function and supports over 250 dependent packages.
Carnegie Mellon University researchers alerted the community about how attackers could leverage this vulnerability to define arbitrary functions within the parser’s context object, which could lead to malicious code execution. This flaw poses a significant threat particularly for generative AI systems that often operate in server environments with access to sensitive local resources. Organizations utilizing expr-eval or its fork are urged to update to version 3.0.0, which introduces critical security measures alongside a patch for this vulnerability. The importance of maintaining software security in AI applications cannot be understated, given the potential implications of such vulnerabilities.
👉 Pročitaj original: Cyber Security News
