Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Severity:: High

Description

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Recommendation

Update the @babel/traverse package to the latest compatible version. Followings are version details:

Affected version(s): **>= 8.0.0-alpha.0, < 8.0.0-alpha.4 < 7.23.2**
Patched version(s): **8.0.0-alpha.4 7.23.2**

References

GHSA-67hx-6x53-jw92
www.debian.org
lists.debian.org
babeljs.io
CVE-2023-45133
CWE-184
CWE-697
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input - CVE-2026-44728
Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
Svelecte item names vulnerable to execution of arbitrary JavaScript - CVE-2023-38687
Joplin is vulnerable to arbitrary code execution - CVE-2022-35131

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @babel/traverse

Anything's wrong? Let us know Last updated on April 04, 2024