CVE

CVE-2025-13204

expr-eval vulnerable to Prototype Pollution

CVE

CVE-2025-13204

expr-eval vulnerable to Prototype Pollution

npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.3

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.3

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Related Resources

No items found.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-13204, https://github.com/silentmatt/expr-eval/pull/252/files, https://github.com/jorenbroekema/expr-eval/commit/6c475a118643ae0efe012de283e932fb8b74324b, https://github.com/silentmatt/expr-eval/commit/6e889e0e75c50ac37d70c35388602025650e0c50, https://github.com/SECCON/SECCON2022finalCTF/blob/main/jeopardy/web/babybox/solver/solver.py, https://github.com/jorenbroekema/expr-eval, https://github.com/silentmatt/expr-eval, https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py, https://www.huntr.dev/bounties/1-npm-expr-eval, https://www.npmjs.com/package/expr-eval-fork

Severity

7.3

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.3

EPSS Probability

0.00085%

EPSS Percentile

0.24912%

Introduced Version

0,2.0.0,0.10.0,0.9.0

Fix Available

2.0.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-13204

CVE-2025-13204

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.3

Basic Information

Fix Critical Vulnerabilities Instantly