[GHSA-jc85-fpwf-qm7x] expr-eval does not restrict functions passed to the evaluate function

[sei-vsarvepalli]

Updates

• Affected products

Comments
The npm expr-eval-fork version 3.0.0 is still vulnerable to this vulnerability. The full patch has not been absorbed by the provider - An issue 289 in the main package identified the incomplete patch and it was fixed with silentmatt/expr-eval#288 updates later. However expr-eval-fork has not absorbed these changes as yet and it still remains vulnerable.

[Copilot]

Pull Request Overview

This PR updates the security advisory GHSA-jc85-fpwf-qm7x to correctly reflect that the expr-eval-fork package version 3.0.0 remains vulnerable to CVE-2025-12735. The advisory previously incorrectly indicated that version 3.0.0 fixed the vulnerability, when in fact the incomplete patch means the issue persists.

• Changed the affected version range for expr-eval-fork from indicating a fix in version 3.0.0 to specifying that version 2.0.2 is the last known affected version
• Removed redundant database_specific.last_known_affected_version_range field, as this information is now properly encoded in the ranges

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JonathanLEvans]

Hi @sei-vsarvepalli,

Your change makes 2.0.2 the last affected version but if 3.0.0 is still vulnerable, shouldn't it be set to 3.0.0?

[sei-vsarvepalli]

Hi @sei-vsarvepalli,

Your change makes 2.0.2 the last affected version but if 3.0.0 is still vulnerable, shouldn't it be set to 3.0.0?

Hey @JonathanLEvans

Good catch - thanks. I will update the PR.

[advisory-database]

Hi @sei-vsarvepalli! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!