External risk intelligence

expr-eval toJSFunction API Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-12866

The vulnerability exists in a software library (expr-eval) used to evaluate expressions. While this library may be used in internet-facing web applications to process user input, its use is varied and context-dependent. It is not inherently a public-facing service itself, and its exposure depends entirely on how a developer integrates it into their specific application.

Code Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in the expr-eval package, which allows for the evaluation of mathematical expressions. The issue enables attackers to execute arbitrary JavaScript code by providing specially crafted expressions, potentially leading to unauthorized code execution within affected applications.

  • Code execution risk via expression evaluation.
  • Understand how expression libraries can be exploited.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted expressions to an application that uses the expr-eval library. The vulnerable `toJSFunction()` API compiles these expressions into JavaScript code, allowing attackers to bypass intended restrictions and execute arbitrary commands within the application's environment.

  • Network access allows attacker interaction.
  • Crafted expressions trigger arbitrary code execution.
  • Risk is application-level code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of an application that uses the `expr-eval` library. This could occur when an application processes user-supplied expressions that are then compiled into executable code without sufficient sanitization, potentially leading to unauthorized actions or data compromise.

  • Application code execution.
  • User-supplied expressions compiled.
  • Unauthorized actions, data compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world remediation requires identifying which teams are responsible for the `expr-eval` library, typically application owners or platform teams depending on how it's integrated. The first practical step is to inventory where this library is deployed, assess its reachability and business criticality, and then assign ownership for remediation planning based on the identified risk.

  • Application owners should manage remediation.
  • Verify library usage and exposure first.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the expr-eval package?

expr-eval is a JavaScript library developers use to parse and calculate mathematical expressions dynamically. It is commonly embedded in web applications to allow users to input formulas or calculations—such as in spreadsheet tools, reporting dashboards, or custom data-entry forms—without the application needing to write complex, custom parsing logic from scratch.

How does CVE-2026-12866 allow code execution?

This vulnerability is classified as CWE-94: Improper Control of Generation of Code. The library's toJSFunction() API is designed to turn mathematical expressions into executable JavaScript. Because it does not safely sanitize inputs, an attacker can craft a malicious expression that breaks out of the intended logic to run arbitrary commands, effectively tricking the application into executing code it was never supposed to process.

Do I need to worry if my app uses expr-eval for hardcoded formulas?

Not necessarily. The vulnerability is triggered when the application passes untrusted, user-supplied input into the vulnerable API. If your application only uses the library to process internal, hardcoded formulas that cannot be modified or influenced by external users, the specific attack path required to trigger this code execution is not present.

How does Halo Surface Signal help me understand my risk?

Halo Surface Signal identifies this as a potential risk because expr-eval is a library, not a standalone service. Your actual risk depends on how your team integrated it. If the library is used in an application that accepts input directly from the internet, your surface area is larger. If it is used only in backend tools inaccessible to the public, the likelihood of a remote exploit is significantly reduced.

What should I do to address this vulnerability?

Start by identifying all applications in your environment that rely on the expr-eval library. Once you have an inventory, determine if those applications pass user-provided data to the toJSFunction() API. If they do, prioritize these systems for remediation by working with the application owners to limit the input or switch to a more secure method of expression evaluation.

References