Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
- Severity:
- High
Description
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Recommendation
Update the @babel/traverse package to the latest compatible version. Followings are version details:
Affected version(s): **>= 8.0.0-alpha.0, < 8.0.0-alpha.4 < 7.23.2** Patched version(s): **8.0.0-alpha.4 7.23.2**
References
- GHSA-67hx-6x53-jw92
- www.debian.org
- lists.debian.org
- babeljs.io
- CVE-2023-45133
- CWE-184
- CWE-697
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
- Websites were able to send any requests to the development server and read the response in vite - CVE-2025-24010
- Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc - CVE-2025-24981
- Tags:
- npm
- @babel/traverse
Anything's wrong? Let us know Last updated on April 04, 2024