The vulnerability identified as CVE-2025-12735 affects the silentmatt expr-eval library, a JavaScript tool designed to safely parse and evaluate mathematical expressions with user-defined variables. The core issue lies in improper control over code generation (CWE-94), where the library fails to adequately validate input passed as the context object or its members to the evaluate() function. This flaw allows an attacker to inject malicious code that gets executed during expression evaluation, effectively enabling arbitrary code execution. The vulnerability is exploitable remotely (AV:N), requires no privileges (PR:N) or user interaction (UI:N), and impacts confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H), resulting in a CVSS v3.1 score of 9.8. The affected versions are indicated as '0', which likely means all versions prior to a fix or the initial release version. No patches or known exploits are currently documented, but the severity and ease of exploitation make it a critical threat. The vulnerability also relates to CWE-1321, which involves improper handling of member expressions, further contributing to the injection risk. This vulnerability is particularly dangerous in environments where user input is evaluated dynamically, such as web applications, server-side JavaScript environments (Node.js), or embedded scripting contexts. Attackers exploiting this flaw can execute arbitrary commands, potentially leading to full system compromise, data theft, or service disruption.

For European organizations, the impact of CVE-2025-12735 can be severe. Many enterprises rely on JavaScript libraries like expr-eval for dynamic expression evaluation in web applications, financial platforms, analytics tools, and IoT devices. Exploitation could lead to unauthorized access, data breaches involving sensitive personal or corporate data, and disruption of critical services. Given the critical CVSS score and the lack of required authentication or user interaction, attackers can remotely compromise vulnerable systems at scale. This poses a significant risk to sectors such as finance, healthcare, government, and technology, where data integrity and availability are paramount. Additionally, the breach of confidentiality could violate GDPR regulations, leading to legal and financial penalties. The ability to execute arbitrary code also means attackers could establish persistent footholds, deploy ransomware, or pivot within networks, amplifying the damage. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the threat landscape could rapidly evolve.

Immediate mitigation steps include monitoring for updates or patches from the silentmatt project and applying them as soon as they become available. Until a patch is released, organizations should implement strict input validation and sanitization on all data passed to the expr-eval library, especially the context object and its members. Avoid evaluating expressions that incorporate untrusted or user-supplied data. Employ runtime application self-protection (RASP) or web application firewalls (WAF) to detect and block suspicious expression evaluation patterns. Conduct thorough code reviews to identify and refactor usage of expr-eval in critical systems. Consider isolating or sandboxing components that perform expression evaluation to limit potential damage from exploitation. Additionally, enhance logging and alerting around expression evaluation failures or anomalies to enable rapid detection of exploitation attempts. Educate developers about the risks of dynamic code evaluation and promote safer alternatives where feasible.