VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 23, 2026

CVE-2026-12866

CVE-2026-12866

Description

All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"String-based code generation in `toJSFunction()` coerces variable values via `toString()` and passes the result directly to `new Function()` without isolation."

Attack vector

An attacker supplies a crafted expression to `toJSFunction()` along with attacker-controlled variable objects that implement a custom `toString()` method. During code generation, `toJSFunction()` coerces variable values via `toString()` and passes the resulting string directly to `new Function()` without isolation [ref_id=1]. This allows the attacker's `toString()` payload to inject arbitrary JavaScript into the generated function body. In Node.js environments the injected code can access globals such as `process`, enabling file system access and command execution [ref_id=1].

What the fix does

The advisory does not provide a patch or code diff. The recommended remediation is to avoid passing untrusted variable objects to `toJSFunction()` or to sanitize/validate variable values before they reach the code-generation path [ref_id=1]. Without a fix, applications that expose expression evaluation to users and reuse compiled expressions via `toJSFunction()` remain vulnerable to arbitrary code execution in Node.js.

Preconditions

  • inputThe application must call `toJSFunction()` with attacker-controlled variable objects
  • inputThe attacker's variable objects must implement a custom `toString()` method
  • configThe application must run in a Node.js environment (browser environments are not affected)

Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.