CVE-2026-12866 in expr-eval
Summary
by MITRE • 06/23/2026
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/23/2026
The expr-eval package represents a widely used mathematical expression parser and evaluator for javascript applications, designed to safely evaluate mathematical expressions provided by users or external sources. This vulnerability exists within the toJSFunction() API implementation which serves as a critical interface for converting parsed mathematical expressions into executable javascript code. The flaw stems from insufficient input validation and sanitization mechanisms that allow attackers to inject malicious payloads directly into the expression parsing pipeline. When user-controlled input passes through this function, it undergoes compilation via the new Function() constructor which executes the provided string as javascript code within the application's execution context.
The technical implementation of this vulnerability demonstrates a classic sandbox escape pattern where the intended security boundary between safe mathematical expressions and arbitrary code execution is completely bypassed. The toJSFunction() method directly consumes user input without proper sanitization, effectively transforming any expression into executable javascript code that runs with the same privileges as the hosting application. This creates a severe privilege escalation scenario where an attacker can execute arbitrary commands, access sensitive data, or perform other malicious activities within the application's security context. The vulnerability operates at the core level of the package's functionality, making it particularly dangerous as it affects all versions and cannot be mitigated through simple patching without architectural changes.
The operational impact of this vulnerability extends beyond simple code execution to encompass full application compromise and potential data breaches. Attackers can leverage this flaw to perform persistent attacks, establish backdoors, or escalate privileges within the compromised system. The vulnerability aligns with common attack patterns documented in the attack tactics and techniques framework where adversaries exploit software weaknesses to gain unauthorized access and execute malicious code. This particular vulnerability maps directly to attack technique T1059.007 for scripting languages and represents a failure in secure coding practices that violates fundamental security principles of input validation and privilege separation. The vulnerability also correlates with CWE-94 which describes the weakness of executing arbitrary code through improper input handling.
Mitigation strategies for this vulnerability require immediate remediation efforts including updating to patched versions of the expr-eval package where available, implementing strict input validation and sanitization measures, and potentially removing or restricting use of the vulnerable toJSFunction() API entirely. Organizations should conduct thorough security assessments of all applications using this package to identify potential exploitation vectors and implement proper sandboxing techniques that isolate expression evaluation from the main application execution context. Additionally, employing runtime monitoring solutions and implementing web application firewalls can help detect and prevent exploitation attempts. The vulnerability highlights the critical importance of secure coding practices and proper input validation in preventing code injection attacks that can lead to complete system compromise.