PT-2025-45064

Name of the Vulnerable Software and Affected Versions expr-eval versions prior to 3.0.0 expr-eval-fork versions prior to 3.0.0 Description The expr-eval library, a JavaScript expression parser and evaluator, is susceptible to remote code execution RCE. This issue stems from inadequate input...

10minions-engine (>=0.0.1 <=0.0.4), 3ui (>=0.1.0 <=0.1.8) +1043 more potentially affected by CVE-2025-13204 via expr-eval (>=0.12.0 <=2.0.2)

expr-eval NPM version =0.12.0, =0.0.1, =0.1.0, =1.0.2, =1.2.0, =1.0.0, =0.0.9, =0.0.1, =0.1.4, =0.0.11, =0.0.1, =0.0.0, =0.0.1 - @alphalang-ai/alphalang =0.0.1-alpha and more Source cves: CVE-2025-13204 Source advisory: SNYK:JS-EXPREVAL-13508636...

Prototype Pollution in silentmatt/expr-eval

✍️ Description With speficific input attckers can define properties on prototype, which will lead to prototype pollution. Need node version=12.0.0, which introduce Object.fromEntries 🕵️‍♂️ Proof of Concept // PoC.js const Parser = require'expr-eval'; const o = ; console.log"o.a=", o.a; // o.a=...