expr-eval icon indicating copy to clipboard operation
expr-eval copied to clipboard
verified publisher icon silentmatt

Security Patch.

Open sei-vsarvepalli opened this issue 5 months ago • 11 comments

Fixes a vulnerability in the expr-eval package. We are unable to reach the researcher @silentmatt and @jorenbroekema developers who have their versions in the npmjs repository.

Vijay Sarvepalli on behalf of CERT/CC

sei-vsarvepalli avatar Nov 04 '25 23:11 sei-vsarvepalli

I'm in the remote outback of Australia on a trip so that's why I've been hard to reach. When I have slightly better connection I'll try to make sure this is resolved on my end (jorenbroekema/expr-eval-fork). Sorry for not being as responsive as I would usually be!

jorenbroekema avatar Nov 06 '25 13:11 jorenbroekema

Could you @sei-vsarvepalli take a look here https://github.com/jorenbroekema/expr-eval/pull/1 , I created a PR on my fork to include these security fixes, some linting fixes and adding an exports map (since we're doing a breaking change anyways, makes sense imo to include it now, see also https://github.com/silentmatt/expr-eval/issues/280)

jorenbroekema avatar Nov 07 '25 00:11 jorenbroekema

Continued work in https://github.com/jorenbroekema/expr-eval/pull/1

sei-vsarvepalli avatar Nov 07 '25 03:11 sei-vsarvepalli

Released v3.0.0 of expr-eval-fork, please note the changelog for breaking changes that were included in this

jorenbroekema avatar Nov 08 '25 06:11 jorenbroekema

@sei-vsarvepalli Is it possible to also issue CVE for the original prototype pollution? It also leads to RCE, but without requirements for context. I was unable to contact the original discoverer @yoshino-s as well as the maintainer @silentmatt

That vulnerability only affects expr-eval, not expr-eval-fork

vladko312 avatar Nov 14 '25 05:11 vladko312

@sei-vsarvepalli Is it possible to also issue CVE for the original prototype pollution? It also leads to RCE, but without requirements for context. I was unable to contact the original discoverer @yoshino-s as well as the maintainer @silentmatt

That vulnerability only affects expr-eval, not expr-eval-fork

Sure - it has been reserved and published now as CVE-2025-13204

sei-vsarvepalli avatar Nov 14 '25 17:11 sei-vsarvepalli

Sure - it has been reserved and published now as CVE-2025-13204

Thank you! It will make the issue easier to track.

Here are some links that could be added:

  • Original prototype pollution advisory: https://www.huntr.dev/bounties/1-npm-expr-eval/
  • SECCON CTF 2022 official solution for expr-eval-based RCE challenge: https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py
  • My payload for automated RCE (as SSTImap module, if needed): https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py

vladko312 avatar Nov 14 '25 20:11 vladko312

I've just noticed this issue, and I'm the author of the CTF challenge that used this library. For your reference, here is the writeup: https://blog.arkark.dev/2023/02/17/seccon-finals/#web-100-babybox

Thank you for your work in handling this vulnerability.

arkark avatar Nov 16 '25 13:11 arkark

Please also see we are also trying to solve - https://github.com/silentmatt/expr-eval/issues/289

sei-vsarvepalli avatar Nov 18 '25 16:11 sei-vsarvepalli

https://github.com/silentmatt/expr-eval/pull/291 work in progress (on the fork) but need some help with the failing tests that the member access patch introduced.

jorenbroekema avatar Nov 25 '25 04:11 jorenbroekema

#291 work in progress (on the fork) but need some help with the failing tests that the member access patch introduced.

https://github.com/sei-vsarvepalli/expr-eval-secure/tree/member-access is ready for fine-tuning and release to npm.

sei-vsarvepalli avatar Nov 25 '25 16:11 sei-vsarvepalli