Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
- Severity:
- High
Description
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Recommendation
Update the @babel/traverse package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0-alpha.0, < 8.0.0-alpha.4 < 7.23.2** Patched version(s): **8.0.0-alpha.4 7.23.2**
References
- GHSA-67hx-6x53-jw92
- www.debian.org
- lists.debian.org
- babeljs.io
- CVE-2023-45133
- CWE-184
- CWE-697
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367
- Vega vulnerable to arbitrary code execution when clicking href links - Vulnerability
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- Tags:
- npm
- @babel/traverse
Anything's wrong? Let us know Last updated on April 04, 2024