Secure expression evaluator - Drop-in replacement for expr-eval without CVE-2025-12735 vulnerability
npm install safe-expr-evalexpr-eval, which is vulnerable to CVE-2025-12735 - a critical arbitrary code execution vulnerability. safe-expr-eval provides the same API without using eval() or Function() constructors, making it safe from code injection attacks.
eval() or Function() constructors
expr-eval
bash
npm install safe-expr-eval
`
๐ Quick Start
$3
`typescript
import { Parser } from 'safe-expr-eval';
const parser = new Parser();
const expr = parser.parse('2 * x + 1');
console.log(expr.evaluate({ x: 3 })); // Output: 7
console.log(expr.evaluate({ x: 10 })); // Output: 21
`
$3
`typescript
import { evaluate } from 'safe-expr-eval';
const result = evaluate('10 + 5 * 2');
console.log(result); // Output: 20
`
$3
`typescript
import { compile } from 'safe-expr-eval';
const fn = compile('price quantity (1 - discount)');
console.log(fn({ price: 100, quantity: 2, discount: 0.1 })); // 180
console.log(fn({ price: 50, quantity: 5, discount: 0.2 })); // 200
`
๐ Migration from expr-eval
Simply replace your import statement:
`typescript
// Before (vulnerable)
import { Parser } from 'expr-eval';
// After (secure)
import { Parser } from 'safe-expr-eval';
`
That's it! The API is 100% compatible.
๐ Supported Operations
$3
- Addition: +
- Subtraction: -
- Multiplication: *
- Division: /
- Modulo: %
$3
- Equal: ==
- Not equal: !=
- Greater than: >
- Less than: <
- Greater or equal: >=
- Less or equal: <=
$3
- AND: and or &&
- OR: or or ||
- NOT: not or !
$3
- Numbers: 42, 3.14
- Strings: "hello", 'world'
- Booleans: true, false
- Variables: x, price, user.name
$3
`typescript
const parser = new Parser();
// Add custom functions
parser.functions.max = Math.max;
parser.functions.min = Math.min;
parser.functions.round = Math.round;
const expr = parser.parse('round(max(a, b) * 1.5)');
console.log(expr.evaluate({ a: 10, b: 20 })); // Output: 30
`
$3
`typescript
const parser = new Parser();
// Define constants
parser.consts.PI = Math.PI;
parser.consts.TAX_RATE = 0.15;
const expr = parser.parse('price * (1 + TAX_RATE)');
console.log(expr.evaluate({ price: 100 })); // Output: 115
`
๐ก๏ธ Security
$3
1. No eval() - We never use JavaScript's eval() function
2. No Function constructor - We don't dynamically create executable code
3. Tokenization & Parsing - Expressions are parsed into tokens and evaluated safely
4. Type safety - Built with TypeScript for additional safety guarantees
$3
The original expr-eval library uses the Function constructor to dynamically create executable code from strings, which can be exploited for arbitrary code execution:
`javascript
// Vulnerable code (DO NOT USE)
const Parser = require('expr-eval').Parser;
const parser = new Parser();
// Attacker can inject malicious code
const malicious = 'process.exit()';
parser.evaluate(malicious); // Executes arbitrary code!
`
safe-expr-eval prevents this by parsing expressions into an Abstract Syntax Tree (AST) and evaluating them safely without code generation.
๐ API Reference
$3
#### new Parser()
Creates a new parser instance.
#### parser.parse(expression: string)
Parses an expression and returns an object with an evaluate() method.
#### parser.evaluate(expression: string, variables?: object)
Shorthand for parsing and evaluating in one step.
#### parser.functions
Object containing custom functions available in expressions.
#### parser.consts
Object containing constants available in expressions.
$3
#### evaluate(expression: string, variables?: object)
Evaluates an expression directly.
#### compile(expression: string)
Compiles an expression into a reusable function.
๐งช Testing
`bash
npm test
npm run test:coverage
``