Skip to content

Security fix for CVE-2025-12735, CVE-2025-13204, and member function bypass#6

Merged
Sander-Toonen merged 6 commits intomasterfrom
copilot/fix-security-issues-patch
Dec 29, 2025
Merged

Security fix for CVE-2025-12735, CVE-2025-13204, and member function bypass#6
Sander-Toonen merged 6 commits intomasterfrom
copilot/fix-security-issues-patch

Conversation

Copy link

Copilot AI commented Dec 29, 2025
edited
Loading

Security Fix for CVE-2025-12735, CVE-2025-13204, and member function bypass

Addresses security vulnerabilities from silentmatt/expr-eval#288 and #290 that affect this fork.

Changes

  • Prototype pollution protection: Block access to __proto__, prototype, constructor in variable names and member expressions
  • Function call restriction: Only allow functions registered in parser.functions, safe Math builtins, or inline-defined functions
  • IFUNCALL validation: Add validateAllowedFunction check before function invocation
  • Inline function registration: Use counter-based keys to prevent collision attacks
  • Version bump to 5.0.0: Major version bump per semantic versioning for breaking changes

Breaking Change (v5.0.0)

Functions must be registered explicitly instead of passed via context. See BREAKING_CHANGES.md for migration guide.

// Before (vulnerable)
parser.evaluate('fn()', { fn: () => 'pwned' });

// After (secure)
parser.functions.fn = () => 'safe';
parser.evaluate('fn()');

Test Coverage

  • Updated all tests to use secure function registration pattern
  • Added 25 security tests covering:

Verification

  • All 959 tests pass
  • npm run type-check passes with no errors
Original prompt

Analyse the following PRs:

Are these security issues also impacting this library? If so create a PR with a patch fixing the security issues.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits December 29, 2025 15:36
@Sander-Toonen
Add security protections for CVE-2025-12735, CVE-2025-13204, and Issue
74886e7 
…silentmatt#289

- Block arbitrary function calls passed via evaluation context
- Block prototype pollution via __proto__, prototype, constructor access
- Block member function call bypass vulnerability
- Allow inline-defined functions (IFUNDEF) as they are safe
- Allow registered functions in parser.functions
- Allow safe Math functions (sin, cos, sqrt, etc.)
- Update tests to use secure function registration pattern
- Add comprehensive security test suite

Co-authored-by: Sander-Toonen <5106372+Sander-Toonen@users.noreply.github.com>
@Sander-Toonen
Fix code review issues: add validateAllowedFunction to IFUNCALL, use …
abae54e 
…counter-based keys for inline functions

- Add validateAllowedFunction check in IFUNCALL handler to prevent bypassing security
- Use monotonically increasing counter for inline function keys instead of user-controlled names
- Prevent collision attacks on inline function registration

Co-authored-by: Sander-Toonen <5106372+Sander-Toonen@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security vulnerabilities in expr-eval library Security fix for CVE-2025-12735, CVE-2025-13204, and member function bypass Dec 29, 2025
Copilot AI requested a review from Sander-Toonen December 29, 2025 15:44
@Sander-Toonen
Copy link

Sander-Toonen commented Dec 29, 2025

@copilot Please update the tests accordingly and document breaking changes in BREAKING_CHANGES.md

Copilot AI and others added 2 commits December 29, 2025 15:52
@Sander-Toonen
Update tests to use secure function registration pattern and add BREA…
fb3ddbb 
…KING_CHANGES.md

- Update remaining 2 tests in operators-logical.ts to register functions in parser.functions
- Add comprehensive BREAKING_CHANGES.md documenting security changes and migration guide

Co-authored-by: Sander-Toonen <5106372+Sander-Toonen@users.noreply.github.com>
@Sander-Toonen
Fix TypeScript type error in security test
f4473e6 
Change empty function to return number to satisfy Value type constraint

Co-authored-by: Sander-Toonen <5106372+Sander-Toonen@users.noreply.github.com>
Copy link
Author

Copilot AI commented Dec 29, 2025

@copilot Please update the tests accordingly and document breaking changes in BREAKING_CHANGES.md

Done in fb3ddbb. Updated all tests to use the secure function registration pattern and added BREAKING_CHANGES.md with documentation and migration guide. Also verified npm run type-check passes with no errors (fixed in f4473e6).

@Sander-Toonen
Copy link

Sander-Toonen commented Dec 29, 2025

@copilot Breaking changes mentions Version 4.3.0 → 4.4.0, but I want the version to become 5.0.0 (according to semantic versioning) Also make sure the version number is updated in packages.json and that the lock file is updated accordingly.

@Sander-Toonen
Bump version to 5.0.0 for breaking changes per semantic versioning
580430c 
- Update package.json version from 4.2.0 to 5.0.0
- Update BREAKING_CHANGES.md to reference version 5.0.0
- Update package-lock.json accordingly

Co-authored-by: Sander-Toonen <5106372+Sander-Toonen@users.noreply.github.com>
Copy link
Author

Copilot AI commented Dec 29, 2025

@copilot Breaking changes mentions Version 4.3.0 → 4.4.0, but I want the version to become 5.0.0 (according to semantic versioning) Also make sure the version number is updated in packages.json and ...

Done in 580430c. Updated version to 5.0.0 in package.json, BREAKING_CHANGES.md, and package-lock.json.

@Sander-Toonen Sander-Toonen marked this pull request as ready for review December 29, 2025 16:03
@Sander-Toonen Sander-Toonen merged commit 7eed95d into master Dec 29, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sander-Toonen Sander-Toonen Awaiting requested review from Sander-Toonen

Assignees

@Sander-Toonen Sander-Toonen

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sander-Toonen