Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
- Severity:
- High
Description
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Recommendation
Update the @babel/traverse package to the latest compatible version. Followings are version details:
-
Affected version(s): **>= 8.0.0-alpha.0, < 8.0.0-alpha.4 < 7.23.2** -
Patched version(s): **8.0.0-alpha.4 7.23.2**
References
- GHSA-67hx-6x53-jw92
- www.debian.org
- lists.debian.org
- babeljs.io
- CVE-2023-45133
- CWE-184
- CWE-697
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input - CVE-2026-44728
- Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
- Joplin is vulnerable to arbitrary code execution - CVE-2022-35131
You might also like:
- Tags:
- npm
- @babel/traverse
Anything's wrong? Let us know
Last updated on April 04, 2024