Executive Summary
In March 2024, a critical remote code execution (RCE) vulnerability was identified in expr-eval, a widely used JavaScript mathematical expression evaluator with over 800,000 weekly NPM downloads. The flaw, if exploited through maliciously crafted input, allowed attackers to execute arbitrary code within applications leveraging the vulnerable versions of the library. As expr-eval is integrated into numerous projects and frameworks, the supply-chain impact was significant, exposing countless downstream applications to the risk of compromise and highlighting the cascading dangers of third-party dependency vulnerabilities.
This incident underscores the increasing focus by attackers on widely adopted open-source libraries as high-leverage supply-chain targets. The expr-eval vulnerability echoes a broader industry trend where modern development practices introduce risks outside direct organizational control, prompting renewed concerns about dependency management, zero trust for software supply chains, and regulatory calls for heightened software bill of materials (SBOM) transparency.
Why This Matters Now
With the rapid adoption of open-source components in business-critical applications, vulnerabilities like the expr-eval RCE can propagate quickly and silently across organizations' digital supply chains. The incident demonstrates the urgency for proactive supply chain security, dependency monitoring, and rapid patching to prevent large-scale exploitation and regulatory fallout.
Attack Path Analysis
The attacker achieved initial compromise by exploiting the RCE vulnerability in the expr-eval JavaScript library introduced via supply chain. They possibly escalated privileges by gaining further access within the affected environment, potentially moving to higher-privilege workloads. The adversary traversed laterally within the cloud or container infrastructure, seeking sensitive assets and expanding access. They established command & control channels to issue remote instructions and maintain persistence. Data exfiltration occurred via outbound channels, with the attacker transferring sensitive information out of the environment. Ultimately, impact included possible data loss, disruption of services, or additional malicious code deployment.
Kill Chain Progression
Initial Compromise
Description
Exploitation of the expr-eval JavaScript library RCE vulnerability through maliciously crafted input, resulting in remote code execution via a supply chain avenue.
Related CVEs
CVE-2025-12735
CVSS 9.8The expr-eval library allows arbitrary code execution due to insufficient input validation in the evaluate() function.
Affected Products:
silentmatt expr-eval – <= 1.2.0
jorenbroekema expr-eval-fork – <= 2.0.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Command and Scripting Interpreter
Exploitation for Client Execution
Phishing
Process Injection
Valid Accounts
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Software and Dependencies
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy Implementation
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Continuous Inventory of Assets and Dependencies
Control ID: Architecture and Asset Management – Asset Inventory
NIS2 Directive – Cybersecurity Risk Management – Supply Chain Security
Control ID: Art. 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply-chain vulnerability in expr-eval JavaScript library with 800K+ weekly downloads enables RCE attacks, requiring immediate dependency audits and segmentation controls.
Financial Services
JavaScript RCE vulnerability threatens web applications handling sensitive financial data, necessitating enhanced egress security and threat detection to prevent data exfiltration.
Health Care / Life Sciences
Supply-chain attack vector compromises patient data systems using vulnerable JavaScript libraries, demanding HIPAA-compliant network segmentation and encrypted traffic monitoring.
E-Learning
Educational platforms using affected JavaScript library face remote code execution risks, requiring multicloud visibility controls and Kubernetes security for student data protection.
Sources
- Popular JavaScript library expr-eval vulnerable to RCE flawhttps://www.bleepingcomputer.com/news/security/popular-javascript-library-expr-eval-vulnerable-to-rce-flaw/Verified
- Vulnerability Note VU#263614: expr-eval JavaScript library vulnerable to arbitrary code executionhttps://www.kb.cert.org/vuls/id/263614Verified
- NVD - CVE-2025-12735https://nvd.nist.gov/vuln/detail/CVE-2025-12735Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as segmentation, egress enforcement, inline threat detection, and east-west visibility could have significantly limited the exploit's blast radius, detected malicious behavior, and prevented data exfiltration or service disruption. Applying CNSF-aligned capabilities forces least privilege, restricts movement, and allows rapid detection of ransomware or abnormal remote code execution linked to supply chain attacks.
Control: Inline IPS (Suricata)
Mitigation: Malicious payloads exploiting the RCE vulnerability are detected and blocked inline.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege elevation is constrained by identity-based segmentation and least privilege policy.
Control: East-West Traffic Security
Mitigation: Unauthorized internal access attempts across workloads are blocked and detected.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 channels to malicious infrastructure are blocked at the cloud perimeter.
Control: Egress Security & Policy Enforcement
Mitigation: Exfiltration attempts are rapidly detected and blocked based on outbound traffic policies.
Abnormal processes, encryption behavior, or destructive actions are detected and incidents triggered.
Impact at a Glance
Affected Business Functions
- Online Calculators
- Educational Suites
- Simulation Tools
- Financial Tools
- AI and NLP Systems
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive user data processed by applications utilizing the expr-eval library.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to contain supply chain exploit attempts to their originating workload and namespace.
- • Deploy inline IPS and threat detection to all cloud ingress and east-west traffic to block known and emerging RCE exploits.
- • Implement egress policy enforcement to tightly control and monitor outbound connections, preventing data exfiltration and C2 channels.
- • Enable east-west visibility and microsegmentation in Kubernetes/cloud environments to rapidly detect and block unauthorized lateral movement.
- • Continuously monitor for anomaly and ransomware behaviors at cloud workload and network layers to enable swift incident response.
