CVE-2026-12866: expr-eval JavaScript Library Arbitrary Code Execution via toJSFunction() — All Versions Affected (CVSS 9.8)

nick

CVE-2026-12866: expr-eval JavaScript Library Arbitrary Code Execution via toJSFunction() — All Versions Affected (CVSS 9.8)

by

CVE: CVE-2026-12866 | CVSS 3.1: 9.8 (CRITICAL) | CWE: CWE-94 (Improper Control of Generation of Code — Code Injection) | Vendor: silentmatt | Product: expr-eval | Affected versions: All versions (1.0.0 through latest)

What Is the Vulnerability

CVE-2026-12866 is a critical arbitrary code execution vulnerability in the expr-eval JavaScript library, a popular expression evaluation package with over 2 million weekly downloads on npm. The vulnerability exists in the library’s core design: user-controlled expression strings are compiled directly into native JavaScript code using new Function(), which provides no sandboxing or isolation from the host application’s execution context.

The vulnerable code path is in toJSFunction(), located at src/expression.js#L55 in the library source. When an application passes user-supplied input to expr-eval’s parser, the resulting expression object contains a method that compiles the parsed expression into a JavaScript function body that is then executed via the Function constructor. This means any JavaScript code embedded in the expression — not just mathematical operations — will execute with the full privileges of the Node.js or browser runtime.

The impact is severe: any web application, API, or service that exposes expr-eval to untrusted user input is vulnerable to remote code execution. An attacker can craft a malicious expression that reads environment variables, accesses the file system, exfiltrates data, or establishes reverse shells — all within the context of the running application. Given the library’s popularity (2M+ weekly downloads), the attack surface across the npm ecosystem is vast.

This is fundamentally an architectural vulnerability rather than a bug — the library’s design intent is to evaluate arbitrary expressions, and the use of new Function() is inherently unsafe when the input is not fully trusted. There is no configuration option to sandbox or restrict expression evaluation.

Versions Affected

  • All versions of expr-eval (npm package expr-eval) — from 1.0.0 through the latest release
  • The vulnerability is inherent to the library’s architecture and affects every published version

Exploited?

There is no known active exploitation of CVE-2026-12866 in the wild at this time. However, the vulnerability is trivially exploitable — any application that passes user input to expr-eval without strict input validation is at immediate risk. Given the library’s widespread use, exploitation is likely a matter of time.

Fix

As of this writing, there is no patch available that fully addresses the vulnerability across all versions. The core issue — using new Function() to execute user-controlled input — is a design choice, not a simple bug. Short of a fundamental architectural change to the library, there may not be a complete fix.

Organizations using expr-eval should:

  • Migrate to a sandboxed expression evaluator that does not use new Function() or eval() for execution.
  • Alternatives include math.js (with its expression parser and security features), Jexl, or implementing a custom parser with a restricted grammar that compiles to safe operations rather than native code.
  • If migration is not immediately possible, implement strict input sanitization — but note that sanitizing against code injection in this context is extremely difficult and should not be relied upon as the sole defense.
  • Never pass untrusted user input to expr-eval under any circumstances.

Recommendations

  • Audit your codebase and dependencies for any use of the expr-eval npm package. Check both direct dependencies and transitive dependencies.
  • Identify all code paths where user-supplied data reaches expr-eval’s Parser.evaluate() or Parser.parse() methods.
  • Prioritize migration to a sandboxed alternative. math.js with its math.parse() and math.evaluate() functions provides expression evaluation without code execution risks when properly configured.
  • If you must continue using expr-eval temporarily, enforce an allowlist of permitted operations and characters, and never expose the evaluator to unauthenticated or external users.
  • Monitor the expr-eval GitHub repository for any security patches or migration guidance from the maintainer.

References

Part of the Vulnerability Intelligence series on threat-modeling.com. See the June 24, 2026 Vulnerability Intelligence Report for broader context.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!