CWE
184 697
Advisory Published
Advisory Published
Updated

CVE-2023-45133: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

First published: Thu Oct 12 2023(Updated: )

### Impact Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are: - `@babel/plugin-transform-runtime` - `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option - Any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator` No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/traverse@7.23.2`. Babel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`. ### Workarounds - Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version. - If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: - `@babel/plugin-transform-runtime` v7.23.2 - `@babel/preset-env` v7.23.2 - `@babel/helper-define-polyfill-provider` v0.4.3 - `babel-plugin-polyfill-corejs2` v0.4.6 - `babel-plugin-polyfill-corejs3` v0.8.5 - `babel-plugin-polyfill-es-shims` v0.10.0 - `babel-plugin-polyfill-regenerator` v0.5.3

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Debian Debian Linux=12.0
Babeljs Babel<7.23.2
Babeljs Babel=8.0.0-alpha.0
Babeljs Babel=8.0.0-alpha.1
Babeljs Babel=8.0.0-alpha.2
Babeljs Babel=8.0.0-alpha.3
Babeljs Babel-helper-define-polyfill-provider<0.4.3
Babeljs Babel-plugin-polyfill-corejs2<0.4.6
Babeljs Babel-plugin-polyfill-corejs3<0.8.5
Babeljs Babel-plugin-polyfill-es-shims<0.10.0
Babeljs Babel-plugin-polyfill-regenerator<0.5.3
Babeljs Babel-plugin-transform-runtime<7.23.2
Babeljs Babel-preset-env<7.23.2
debian/node-babel7<=7.4.5-1<=7.20.15+ds1+~cs214.269.168-4
7.20.15+ds1+~cs214.269.168-5
7.20.15+ds1+~cs214.269.168-3+deb12u1
7.12.12+~cs150.141.84-6+deb11u1
npm/@babel/traverse>=8.0.0-alpha.0<8.0.0-alpha.4
8.0.0-alpha.4
npm/@babel/traverse<7.23.2
7.23.2
debian/node-babel<=6.26.0+dfsg-3
6.26.0+dfsg-3+deb10u1
debian/node-babel7<=7.12.12+~cs150.141.84-6
7.12.12+~cs150.141.84-6+deb11u1
7.20.15+ds1+~cs214.269.168-3+deb12u1
7.20.15+ds1+~cs214.269.168-6
npm/babel-traverse<7.23.2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID of this issue?

    The vulnerability ID of this issue is CVE-2023-45133.

  • What is the impact of this vulnerability?

    Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()` or `path.evaluateTruthy()` internal Babel methods.

  • Which versions of @babel/traverse are affected by this vulnerability?

    Versions up to and including 8.0.0-alpha.4 of @babel/traverse are affected by this vulnerability.

  • What other packages or software are affected by this vulnerability?

    Other affected packages include node-babel version up to and including 6.26.0+dfsg-3 and node-babel7 versions up to and including 7.12.12+~cs150.141.84-6.

  • How to remediate this vulnerability?

    To remediate this vulnerability, update @babel/traverse to version 8.0.0-alpha.4 or later, node-babel to version 7.23.2 or later, and node-babel7 to version 7.12.12+~cs150.141.84-6 or later.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203