Security Patch.

[sei-vsarvepalli]

Fixes a vulnerability in the expr-eval package. We are unable to reach the researcher @silentmatt and @jorenbroekema developers who have their versions in the npmjs repository.

Vijay Sarvepalli
on behalf of CERT/CC

[jorenbroekema]

I'm in the remote outback of Australia on a trip so that's why I've been hard to reach. When I have slightly better connection I'll try to make sure this is resolved on my end (jorenbroekema/expr-eval-fork). Sorry for not being as responsive as I would usually be!

[dbakan]

Shouldn't this return false if f is not a function?

[jorenbroekema]

The check here is redundant anyways because we already check if the var is a function at the place where this is called. I'm guessing if it's not a function, then the expression is allowed because only functions are potentially malicious.

[jorenbroekema]

Could you @sei-vsarvepalli take a look here jorenbroekema#1 , I created a PR on my fork to include these security fixes, some linting fixes and adding an exports map (since we're doing a breaking change anyways, makes sense imo to include it now, see also #280)

[sei-vsarvepalli]

Continued work in jorenbroekema#1

[jorenbroekema]

Released v3.0.0 of expr-eval-fork, please note the changelog for breaking changes that were included in this

[vladko312]

@sei-vsarvepalli
Is it possible to also issue CVE for the original prototype pollution? It also leads to RCE, but without requirements for context. I was unable to contact the original discoverer @yoshino-s as well as the maintainer @silentmatt

That vulnerability only affects expr-eval, not expr-eval-fork

[sei-vsarvepalli]

@sei-vsarvepalli Is it possible to also issue CVE for the original prototype pollution? It also leads to RCE, but without requirements for context. I was unable to contact the original discoverer @yoshino-s as well as the maintainer @silentmatt

That vulnerability only affects expr-eval, not expr-eval-fork

Sure - it has been reserved and published now as CVE-2025-13204

[vladko312]

Sure - it has been reserved and published now as CVE-2025-13204

Thank you! It will make the issue easier to track.

Here are some links that could be added:

• Original prototype pollution advisory: https://www.huntr.dev/bounties/1-npm-expr-eval/
• SECCON CTF 2022 official solution for expr-eval-based RCE challenge: https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py
• My payload for automated RCE (as SSTImap module, if needed): https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py

[arkark]

I've just noticed this issue, and I'm the author of the CTF challenge that used this library.
For your reference, here is the writeup: https://blog.arkark.dev/2023/02/17/seccon-finals/#web-100-babybox

Thank you for your work in handling this vulnerability.

[sei-vsarvepalli]

Please also see we are also trying to solve - #289

[edubz99]

Any timeline for when this will be merged and published to npm? We're blocked on the incomplete GHSA-jc85-fpwf-qm7x fix in v3.0.0

[jorenbroekema]

#291 work in progress (on the fork) but need some help with the failing tests that the member access patch introduced.

[sei-vsarvepalli]

#291 work in progress (on the fork) but need some help with the failing tests that the member access patch introduced.

https://github.com/sei-vsarvepalli/expr-eval-secure/tree/member-access is ready for fine-tuning and release to npm.