Unsafe code execution in Node.js when using `toJSFunction()` with untrusted variables

[I3r4dd0ck]

Hi,
While reviewing expr-eval, I noticed a security-relevant behavior in the public API toJSFunction() that may be surprising or unsafe for users when used with untrusted input in Node.js environments.

Summary

toJSFunction() compiles an expression into native JavaScript using new Function().
If attacker-controlled variables are supplied, and those variables implement a custom toString(), the generated function may execute arbitrary JavaScript at runtime.
This is not an issue in browser environments, but can lead to arbitrary code execution in Node.js due to access to Node globals such as process.

Affected API

• Expression.prototype.toJSFunction()

Root Cause

• toJSFunction() performs string-based code generation.
• Variable values are coerced via toString() during code generation.
• The resulting source code is passed directly to new Function() without isolation.
• This allows side effects or code execution if untrusted objects are supplied as variables.

Impact

When toJSFunction() is used with:

• untrusted user input
• attacker-controlled variables
  an attacker may execute arbitrary JavaScript in the Node.js process.
  This is especially relevant for applications that:
• expose expression evaluation to users
• reuse compiled expressions via toJSFunction() for performance

Proof of Concept

A minimal, reproducible PoC demonstrating this behavior in Node.js is available here:
👉 https://gist.github.com/I3r4dd0ck/928a1780b31255cdb10707d531036a5c
The PoC shows:

• execution of arbitrary JavaScript
• file system access
• command execution via Node.js APIs

Notes

• This report does not claim browser impact.
• This report does not claim a sandbox escape guarantee violation.
• The concern is about unsafe usage patterns that can realistically lead to RCE in Node.js.
  I am reporting this responsibly and am happy to coordinate on disclosure or documentation guidance if needed.