CVE-2026-12866
Received Received - Intake
Code Execution in expr-eval via toJSFunction()

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Snyk

Description
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-12866
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
silentmatt expr-eval to 2.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12866 is a critical vulnerability in all versions of the expr-eval package, specifically in its toJSFunction() API. This API compiles user-supplied expressions into native JavaScript code using the Function constructor (new Function()). Because these expressions are directly transformed into executable code without proper isolation, an attacker can craft malicious expressions that escape the intended sandbox and execute arbitrary JavaScript within the application's context.

In Node.js environments, this vulnerability is especially dangerous because attackers can exploit it to access Node.js globals like process, enabling actions such as file system access, command execution, and privilege escalation. The root cause is that variable values are coerced via toString() and passed directly into new Function(), allowing attacker-controlled code execution.

Impact Analysis

This vulnerability can have severe impacts including remote code execution (RCE) within the affected application. An attacker can execute arbitrary JavaScript code without any user interaction or special privileges, potentially leading to unauthorized file writes, system command execution, and privilege escalation.

Because the exploit can be performed remotely with low complexity, it poses a significant risk to the confidentiality, integrity, and availability of the system running the vulnerable expr-eval package. Applications exposing expression evaluation to untrusted users or reusing compiled expressions for performance are particularly at risk.

Detection Guidance

Detection of this vulnerability involves identifying usage of the expr-eval package's toJSFunction() API in your Node.js applications, especially where untrusted user input is passed to it.

Since the vulnerability arises from execution of arbitrary JavaScript via crafted expressions, you can look for suspicious or unexpected calls to toJSFunction() in your codebase or runtime.

There are no specific network commands provided to detect exploitation attempts, but you can audit your application logs for unusual behavior or errors related to expression evaluation.

In your Node.js environment, you might use commands to search for usage of toJSFunction(), for example:

  • grep -r "toJSFunction" ./node_modules/expr-eval
  • grep -r "toJSFunction" ./src

Additionally, monitoring runtime behavior for unexpected execution of new Function() or suspicious process activity may help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the toJSFunction() API with untrusted input in your applications.

Since there is currently no fixed version of the expr-eval package available, you should consider removing or replacing the vulnerable functionality or package.

Restrict or sanitize any user input that might be passed to expression evaluation to prevent injection of malicious code.

Implement runtime monitoring and restrict permissions of the Node.js process to limit the impact of potential exploitation.

Stay updated with the package repository and security advisories for any patches or fixes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12866. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart