Vulnerabilites related to babel - babel
cve-2025-27789
Vulnerability from cvelistv5
Published
2025-03-11 19:09
Modified
2025-03-11 19:53
Severity ?
EPSS score ?
Summary
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8 | x_refsource_CONFIRM | |
| https://github.com/babel/babel/pull/17173 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-27789", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-11T19:53:22.902147Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-11T19:53:42.811Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "babel", vendor: "babel", versions: [ { status: "affected", version: "< 7.26.10", }, { status: "affected", version: ">= 8.0.0-alpha.0, < 8.0.0-alpha.17", }, ], }, ], descriptions: [ { lang: "en", value: "Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1333", description: "CWE-1333: Inefficient Regular Expression Complexity", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-11T19:09:28.146Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8", }, { name: "https://github.com/babel/babel/pull/17173", tags: [ "x_refsource_MISC", ], url: "https://github.com/babel/babel/pull/17173", }, ], source: { advisory: "GHSA-968p-4wvh-cqc8", discovery: "UNKNOWN", }, title: "Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2025-27789", datePublished: "2025-03-11T19:09:28.146Z", dateReserved: "2025-03-06T18:06:54.462Z", dateUpdated: "2025-03-11T19:53:42.811Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-45133
Vulnerability from cvelistv5
Published
2023-10-12 16:17
Modified
2025-02-13 17:13
Severity ?
EPSS score ?
Summary
Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:14:19.735Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92", }, { name: "https://github.com/babel/babel/pull/16033", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/babel/babel/pull/16033", }, { name: "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82", }, { name: "https://github.com/babel/babel/releases/tag/v7.23.2", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/babel/babel/releases/tag/v7.23.2", }, { name: "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5528", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-45133", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-18T15:45:41.131211Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-18T15:46:03.118Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "babel", vendor: "babel", versions: [ { status: "affected", version: "< 7.23.2", }, { status: "affected", version: ">= 8.0.0-alpha.0, < 8.0.0-alpha.4", }, ], }, ], descriptions: [ { lang: "en", value: "Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 9.4, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-184", description: "CWE-184: Incomplete List of Disallowed Inputs", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T08:06:11.273Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92", }, { name: "https://github.com/babel/babel/pull/16033", tags: [ "x_refsource_MISC", ], url: "https://github.com/babel/babel/pull/16033", }, { name: "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82", tags: [ "x_refsource_MISC", ], url: "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82", }, { name: "https://github.com/babel/babel/releases/tag/v7.23.2", tags: [ "x_refsource_MISC", ], url: "https://github.com/babel/babel/releases/tag/v7.23.2", }, { name: "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4", tags: [ "x_refsource_MISC", ], url: "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4", }, { url: "https://www.debian.org/security/2023/dsa-5528", }, { url: "https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html", }, ], source: { advisory: "GHSA-67hx-6x53-jw92", discovery: "UNKNOWN", }, title: "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-45133", datePublished: "2023-10-12T16:17:08.624Z", dateReserved: "2023-10-04T16:02:46.328Z", dateUpdated: "2025-02-13T17:13:48.413Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }