The expr-eval library contains a critical code execution vulnerability that allows attackers to escape the application sandbox and execute arbitrary JavaScript code.

The vulnerability exists in the toJSFunction() API, which compiles user-controlled expressions into native code using new Function(). This allows an attacker to bypass intended sandbox restrictions and execute arbitrary JavaScript within the application's context.

The CVSS score of 9.8 highlights the severity of this remote code execution flaw. If an application utilizes this library to process untrusted input, an attacker could gain full control over the application's runtime environment, leading to data theft, unauthorized service modifications, or further system exploitation.

Immediate Action: Update to the latest version of expr-eval if a patch is available, or refactor the application to avoid passing untrusted input to the toJSFunction() API.

Proactive Monitoring: Monitor application logs for unexpected system calls or anomalous JavaScript execution patterns that deviate from normal application behavior.

Compensating Controls: Implement input validation and sanitization layers to ensure that expressions passed to the library are strictly controlled and do not contain malicious payloads.

Public Exploit Available: No

Because this vulnerability affects all versions of the library, it requires immediate attention. Organizations using expr-eval must audit their code for usage of the toJSFunction() API and implement the necessary updates or architectural changes to mitigate the risk of arbitrary code execution.