← back
CVE-2025-13204

CVE-2025-13204

CVSS 7.3 HIGHEPSS 0.4%CWE-1321
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.3EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
14 Nov 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products
silentmatt · expr-eval

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/jorenbroekema/expr-evalhttps://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.pyhttps://github.com/silentmatt/expr-evalhttps://github.com/silentmatt/expr-eval/pull/252/fileshttps://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.pyhttps://www.huntr.dev/bounties/1-npm-expr-eval/https://www.npmjs.com/package/expr-eval-fork