Skip to content

Security Patch. #288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Security Patch. #288

wants to merge 11 commits into from
+166 −32

Conversation

@sei-vsarvepalli
Copy link

@sei-vsarvepalli sei-vsarvepalli commented Nov 4, 2025

Fixes a vulnerability in the expr-eval package. We are unable to reach the researcher @silentmatt and @jorenbroekema developers who have their versions in the npmjs repository.

Vijay Sarvepalli
on behalf of CERT/CC

wtfiwtz added a commit to orchestrated-io/langchainjs that referenced this pull request Nov 5, 2025
@wtfiwtz
Fork of eval-expr
b23d705 
GHSA-jc85-fpwf-qm7x
silentmatt/expr-eval#288
@vaernion vaernion mentioned this pull request Nov 6, 2025
Merged
@jorenbroekema
Copy link

jorenbroekema commented Nov 6, 2025

I'm in the remote outback of Australia on a trip so that's why I've been hard to reach. When I have slightly better connection I'll try to make sure this is resolved on my end (jorenbroekema/expr-eval-fork). Sorry for not being as responsive as I would usually be!

dbakan
dbakan reviewed Nov 6, 2025
View reviewed changes
src/evaluate.js
* This logic is the core security allowance gate.
*/
var isAllowedFunc = function (f) {
if (typeof f !== 'function') return true;
Copy link

@dbakan dbakan Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this return false if f is not a function?

Copy link

@jorenbroekema jorenbroekema Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The check here is redundant anyways because we already check if the var is a function at the place where this is called. I'm guessing if it's not a function, then the expression is allowed because only functions are potentially malicious.

@jorenbroekema
Copy link

jorenbroekema commented Nov 7, 2025
edited
Loading

Could you @sei-vsarvepalli take a look here jorenbroekema#1 , I created a PR on my fork to include these security fixes, some linting fixes and adding an exports map (since we're doing a breaking change anyways, makes sense imo to include it now, see also #280)

@sei-vsarvepalli
Copy link
Author

sei-vsarvepalli commented Nov 7, 2025

Continued work in jorenbroekema#1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@dbakan dbakan dbakan left review comments

@jorenbroekema jorenbroekema jorenbroekema left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sei-vsarvepalli @jorenbroekema @dbakan @sei-renae