Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
- Severity:
- High
Description
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Recommendation
Update the @babel/traverse package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0-alpha.0, < 8.0.0-alpha.4 < 7.23.2** Patched version(s): **8.0.0-alpha.4 7.23.2**
References
- GHSA-67hx-6x53-jw92
- www.debian.org
- lists.debian.org
- babeljs.io
- CVE-2023-45133
- CWE-184
- CWE-697
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Websites were able to send any requests to the development server and read the response in vite - CVE-2025-24010
- Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc - CVE-2025-24981
- Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4) - CVE-2023-26486
- secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery - CVE-2022-41340
- Tags:
- npm
- @babel/traverse
Anything's wrong? Let us know Last updated on April 04, 2024