The vulnerability identified as CVE-2025-12735 affects the silentmatt expr-eval library, a JavaScript tool designed to safely parse and evaluate mathematical expressions with user-defined variables. The core issue lies in improper control over code generation (CWE-94), where the library fails to sufficiently validate or sanitize the variables object passed to its evaluate() function. This flaw allows an attacker to craft malicious input that can be interpreted as executable code, leading to arbitrary code execution within the context of the host application. The vulnerability affects all versions of expr-eval, as indicated by the affectedVersions field listing version '0' (likely meaning all prior versions). No patches or fixes have been published yet, and no known exploits are currently reported in the wild. The vulnerability was reserved and published on November 5, 2025, by CERTCC. The absence of a CVSS score requires an independent severity assessment. The vulnerability's exploitation does not require authentication but does require the attacker to supply crafted variables to the evaluate() function, which may be exposed in web applications or services that allow user input to be evaluated dynamically. This can lead to full compromise of the application environment, including data theft, service disruption, or further lateral movement. The CWE-1321 tag indicates a related weakness in code generation control, reinforcing the risk of injection attacks. Given the widespread use of JavaScript and expr-eval in web and server-side applications, this vulnerability poses a significant risk if exploited.

For European organizations, the impact of CVE-2025-12735 can be severe. Applications using expr-eval to process user-supplied expressions without adequate input restrictions may be compromised, leading to arbitrary code execution. This can result in data breaches, unauthorized access to sensitive information, service outages, and potential pivoting to internal networks. Sectors such as finance, healthcare, e-commerce, and critical infrastructure that rely on JavaScript-based computation or analytics are particularly vulnerable. The ability to execute arbitrary code without authentication increases the attack surface and risk of automated exploitation. Additionally, compromised applications may be used as launch points for supply chain attacks or ransomware campaigns. The lack of known exploits currently provides a window for proactive mitigation, but the vulnerability's critical nature demands urgent attention to prevent future exploitation. European data protection regulations like GDPR also increase the compliance risks associated with breaches stemming from this vulnerability.

To mitigate CVE-2025-12735, organizations should immediately audit all uses of the expr-eval library within their codebases, especially where user input is passed to the evaluate() function. Implement strict input validation and sanitization to ensure variables cannot contain executable code or unexpected constructs. Where possible, restrict or whitelist allowed variable names and values. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) to detect and block suspicious evaluation attempts. Monitor application logs for anomalous evaluation inputs or errors indicative of exploitation attempts. Coordinate with the silentmatt project or maintainers to obtain patches or updates once released and prioritize their deployment. Consider isolating or sandboxing the evaluation environment to limit the impact of potential code execution. Educate developers on secure coding practices related to dynamic code evaluation and avoid using vulnerable versions of expr-eval. Finally, conduct penetration testing focused on injection vectors in expression evaluation components.