@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input

Description

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Recommendation

Update the @babel/plugin-transform-modules-systemjs package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 8.0.0-alpha.0, <= 8.0.0-alpha.12

  >= 7.12.0, <= 7.29.3**

• Patched version(s): **8.0.0-alpha.13

  7.29.4**

References

• GHSA-fv7c-fp4j-7gwp
• CVE-2026-44728
• CWE-843
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
• Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - @babel/helpers - CVE-2025-27789
• Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - @babel/runtime-corejs2 - CVE-2025-27789
• Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - @babel/runtime - CVE-2025-27789

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@babel/plugin-transform-modules-systemjs