Skip to main content

expr-eval CVE-2026-12866

| EUVDEUVD-2026-38415 CRITICAL
Code Injection (CWE-94)
2026-06-23 snyk GHSA-q9v2-7m5w-4693
Critical
Disputed · 9.2 Vendor: snyk
Share

Severity by source

Sources disagree (Low–Critical)
Vendor (snyk) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Network-reachable API with no auth or interaction once the app exposes toJSFunction() to user input; full RCE yields high C/I/A within the same process scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
4.2 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: snyk

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 23, 2026 - 05:28 vuln.today
CVSS changed
Jun 23, 2026 - 05:22 NVD
9.8 (CRITICAL) 9.2 (CRITICAL)

DescriptionCVE.org

All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.

AnalysisAI

Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint accepting expr-eval formula
Delivery
Submit crafted expression abusing constructor access
Exploit
toJSFunction() concatenates payload into source
Execution
new Function() compiles attacker JavaScript
Persist
Evaluator invocation executes payload in-process
Impact
RCE as the Node.js service account

Vulnerability AssessmentAI

Exploitation The vulnerable application must call the toJSFunction() API of expr-eval (not merely parse() or evaluate()) on an expression string that is influenced by an untrusted source such as an HTTP body, query parameter, message-queue payload, or saved user document. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:P/PR:N/UI:N with VC/VI/VA:H reflects a network-reachable, unauthenticated, low-complexity RCE whose only gating factor is the AT:P attack-requirement bit - namely, the consuming application must actually feed user input into toJSFunction(). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An analyst-facing dashboard lets users define custom KPI formulas like '2*revenue+cost' which the backend compiles via expr-eval's toJSFunction() for speed. An attacker submits a formula such as 'constructor.constructor("return process.mainModule.require(\'child_process\').execSync(\'id\')")()' (or an equivalent that survives the tokenizer), and on the next evaluation the Node.js process executes the embedded shell command with the service account's privileges, yielding immediate RCE without authentication beyond whatever guards the formula-submission endpoint.
Remediation No vendor-released patch identified at time of analysis - the linked GitHub issue (#292) and the Snyk advisory do not cite a fixed version, so consumers should treat this as unpatched and act at the application layer. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct complete dependency audit across all code repositories and environments to identify every application consuming expr-eval; flag all production instances for emergency assessment and apply principle of least privilege to service accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy