High severityNVD Advisory· Published Nov 14, 2025· Updated Nov 14, 2025
CVE-2025-13204
CVE-2025-13204
Description
npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
expr-evalnpm | <= 2.0.2 | — |
expr-eval-forknpm | < 2.0.2 | 2.0.2 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/librechatpkg:npm/expr-evalpkg:npm/expr-eval-fork
< 8.19.15-r0+ 6 more
- (no CPE)range: < 8.19.15-r0
- (no CPE)range: < 8.19.15-r0
- (no CPE)range: < 8.19.15-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: <= 2.0.2
- (no CPE)range: < 2.0.2
- silentmatt/expr-evalv5Range: 0
Patches
Vulnerability mechanics
References
10- github.com/silentmatt/expr-eval/pull/252/filesghsapatchWEB
- github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.pyghsaexploitWEB
- github.com/advisories/GHSA-8gw3-rxh4-v6jxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13204ghsaADVISORY
- www.huntr.dev/bounties/1-npm-expr-eval/mitrethird-party-advisory
- github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.pyghsaWEB
- github.com/jorenbroekema/expr-eval/commit/6c475a118643ae0efe012de283e932fb8b74324bghsaWEB
- github.com/silentmatt/expr-eval/commit/6e889e0e75c50ac37d70c35388602025650e0c50ghsaWEB
- www.huntr.dev/bounties/1-npm-expr-evalghsaWEB
- www.npmjs.com/package/expr-eval-forkghsaWEB
News mentions
0No linked articles in our index yet.