First published: Thu Oct 12 2023(Updated: )
### Impact Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are: - `@babel/plugin-transform-runtime` - `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option - Any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator` No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/traverse@7.23.2`. Babel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`. ### Workarounds - Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version. - If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: - `@babel/plugin-transform-runtime` v7.23.2 - `@babel/preset-env` v7.23.2 - `@babel/helper-define-polyfill-provider` v0.4.3 - `babel-plugin-polyfill-corejs2` v0.4.6 - `babel-plugin-polyfill-corejs3` v0.8.5 - `babel-plugin-polyfill-es-shims` v0.10.0 - `babel-plugin-polyfill-regenerator` v0.5.3
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Debian Debian Linux | =12.0 | |
Babeljs Babel | <7.23.2 | |
Babeljs Babel | =8.0.0-alpha.0 | |
Babeljs Babel | =8.0.0-alpha.1 | |
Babeljs Babel | =8.0.0-alpha.2 | |
Babeljs Babel | =8.0.0-alpha.3 | |
Babeljs Babel-helper-define-polyfill-provider | <0.4.3 | |
Babeljs Babel-plugin-polyfill-corejs2 | <0.4.6 | |
Babeljs Babel-plugin-polyfill-corejs3 | <0.8.5 | |
Babeljs Babel-plugin-polyfill-es-shims | <0.10.0 | |
Babeljs Babel-plugin-polyfill-regenerator | <0.5.3 | |
Babeljs Babel-plugin-transform-runtime | <7.23.2 | |
Babeljs Babel-preset-env | <7.23.2 | |
debian/node-babel7 | <=7.4.5-1<=7.20.15+ds1+~cs214.269.168-4 | 7.20.15+ds1+~cs214.269.168-5 7.20.15+ds1+~cs214.269.168-3+deb12u1 7.12.12+~cs150.141.84-6+deb11u1 |
npm/@babel/traverse | >=8.0.0-alpha.0<8.0.0-alpha.4 | 8.0.0-alpha.4 |
npm/@babel/traverse | <7.23.2 | 7.23.2 |
debian/node-babel | <=6.26.0+dfsg-3 | 6.26.0+dfsg-3+deb10u1 |
debian/node-babel7 | <=7.12.12+~cs150.141.84-6 | 7.12.12+~cs150.141.84-6+deb11u1 7.20.15+ds1+~cs214.269.168-3+deb12u1 7.20.15+ds1+~cs214.269.168-6 |
npm/babel-traverse | <7.23.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2023-45133.
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()` or `path.evaluateTruthy()` internal Babel methods.
Versions up to and including 8.0.0-alpha.4 of @babel/traverse are affected by this vulnerability.
Other affected packages include node-babel version up to and including 6.26.0+dfsg-3 and node-babel7 versions up to and including 7.12.12+~cs150.141.84-6.
To remediate this vulnerability, update @babel/traverse to version 8.0.0-alpha.4 or later, node-babel to version 7.23.2 or later, and node-babel7 to version 7.12.12+~cs150.141.84-6 or later.