@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
- Severity:
- High
Description
Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.
Recommendation
Update the @babel/plugin-transform-modules-systemjs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0-alpha.0, <= 8.0.0-alpha.12 >= 7.12.0, <= 7.29.3** Patched version(s): **8.0.0-alpha.13 7.29.4**
References
Related Issues
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content - CVE-2026-0969
- Electerm runWidget has a path traversal that leads to arbitrary code execution - CVE-2026-43940
You might also like:
- Tags:
- npm
- @babel/plugin-transform-modules-systemjs
Anything's wrong? Let us know Last updated on May 08, 2026


