[GHSA-jc85-fpwf-qm7x] expr-eval does not restrict functions passed to the evaluate function#6454
Conversation
github-actions
bot
changed the base branch from
main
to
sei-vsarvepalli/advisory-improvement-6454
There was a problem hiding this comment.
Pull Request Overview
This PR updates the security advisory GHSA-jc85-fpwf-qm7x to correctly reflect that the expr-eval-fork package version 3.0.0 remains vulnerable to CVE-2025-12735. The advisory previously incorrectly indicated that version 3.0.0 fixed the vulnerability, when in fact the incomplete patch means the issue persists.
- Changed the affected version range for
expr-eval-forkfrom indicating a fix in version 3.0.0 to specifying that version 2.0.2 is the last known affected version - Removed redundant
database_specific.last_known_affected_version_rangefield, as this information is now properly encoded in the ranges
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @sei-vsarvepalli, Your change makes |
Hey @JonathanLEvans Good catch - thanks. I will update the PR. |
advisory-database
bot
merged commit c8af485
into
sei-vsarvepalli/advisory-improvement-6454
|
Hi @sei-vsarvepalli! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
advisory-database
bot
deleted the
sei-vsarvepalli-GHSA-jc85-fpwf-qm7x
branch
2 participants
Updates
Comments
The npm expr-eval-fork version 3.0.0 is still vulnerable to this vulnerability. The full patch has not been absorbed by the provider - An issue 289 in the main package identified the incomplete patch and it was fixed with silentmatt/expr-eval#288 updates later. However expr-eval-fork has not absorbed these changes as yet and it still remains vulnerable.