Expr Eval
Monthly
Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.
Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.