Docker patches critical RCE in nested dependency, upstreams fix to LangChain.js

Key update

Docker identified a critical remote-code-execution vulnerability (CVE-2025-12735) originating in the expr-eval JavaScript expression evaluator used three layers deep in multiple projects, patched their Hardened Images by replacing expr-eval with a maintained alternative (math-expression-evaluator), and submitted the fix upstream to LangChain.js so downstream projects (including affected Kibana images and LLM-powered apps) receive a permanent remediation. (docker.com)

Why it matters

This is a high-impact supply-chain security event with practical consequences: the vulnerability enabled arbitrary code execution via crafted expressions in an unmaintained nested dependency, and LangChain.js—the foundation for many LLM applications—pulled that dependency in via its transitive tree, exposing hundreds of thousands to millions of weekly users. Docker’s approach (ship a hardened image for immediate protection and upstream the replacement so the vulnerability is removed at source) reduces the window where vendors or downstream builds reintroduce the issue. In practice, teams running Kibana, LangChain.js, or any app that might transitively include expr-eval must verify their dependency graphs, update to LangChain.js releases that include Docker’s upstream fix (or apply an equivalent patch), rebuild and redeploy container images that incorporate the hardened fix, and ensure CI/CD dependency scanning and SBOM checks catch similar nested risks going forward. (docker.com)

Source

• Source