Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
- Severity:
- Medium
Description
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Recommendation
Update the @babel/runtime-corejs3 package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0-alpha.0, < 8.0.0-alpha.16 < 7.26.10** Patched version(s): **8.0.0-alpha.17 7.26.10**
References
Related Issues
- Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation (GHSA-rg3q-jxmp-pvjj) - CVE-2019-11004
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- @babel/runtime-corejs3
Anything's wrong? Let us know Last updated on April 16, 2025