VYPR

npm package

expr-eval

pkg:npm/expr-eval

Vulnerabilities (2)

  • CVE-2025-13204Nov 14, 2025
    affected <= 2.0.2

    npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

  • CVE-2025-12735Nov 5, 2025
    affected <= 2.0.2

    The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object