CVE-2023-45133: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
First published: Thu Oct 12 2023(Updated: )
### Impact Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are: - `@babel/plugin-transform-runtime` - `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option - Any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator` No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/traverse@7.23.2`. Babel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`. ### Workarounds - Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version. - If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: - `@babel/plugin-transform-runtime` v7.23.2 - `@babel/preset-env` v7.23.2 - `@babel/helper-define-polyfill-provider` v0.4.3 - `babel-plugin-polyfill-corejs2` v0.4.6 - `babel-plugin-polyfill-corejs3` v0.8.5 - `babel-plugin-polyfill-es-shims` v0.10.0 - `babel-plugin-polyfill-regenerator` v0.5.3
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| Babeljs Babel | <7.23.2 | |
| Babeljs Babel | =8.0.0-alpha.0 | |
| Babeljs Babel | =8.0.0-alpha.1 | |
| Babeljs Babel | =8.0.0-alpha.2 | |
| Babeljs Babel | =8.0.0-alpha.3 | |
| Babeljs Babel-helper-define-polyfill-provider | <0.4.3 | |
| Babeljs Babel-plugin-polyfill-corejs2 | <0.4.6 | |
| Babeljs Babel-plugin-polyfill-corejs3 | <0.8.5 | |
| Babeljs Babel-plugin-polyfill-es-shims | <0.10.0 | |
| Babeljs Babel-plugin-polyfill-regenerator | <0.5.3 | |
| Babeljs Babel-plugin-transform-runtime | <7.23.2 | |
| Babeljs Babel-preset-env | <7.23.2 | |
| debian/node-babel7 | <=7.4.5-1<=7.20.15+ds1+~cs214.269.168-4 | 7.20.15+ds1+~cs214.269.168-5 7.20.15+ds1+~cs214.269.168-3+deb12u1 7.12.12+~cs150.141.84-6+deb11u1 |
| npm/@babel/traverse | >=8.0.0-alpha.0<8.0.0-alpha.4 | 8.0.0-alpha.4 |
| npm/@babel/traverse | <7.23.2 | 7.23.2 |
| debian/node-babel | <=6.26.0+dfsg-3 | 6.26.0+dfsg-3+deb10u1 |
| debian/node-babel7 | <=7.12.12+~cs150.141.84-6 | 7.12.12+~cs150.141.84-6+deb11u1 7.20.15+ds1+~cs214.269.168-3+deb12u1 7.20.15+ds1+~cs214.269.168-6 |
| npm/babel-traverse | <7.23.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
- https://github.com/babel/babel/pull/16033
- https://github.com/babel/babel/releases/tag/v7.23.2
- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4
- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html
- https://www.debian.org/security/2023/dsa-5528
- https://security-tracker.debian.org/tracker/CVE-2023-45133
- https://www.cve.org/CVERecord?id=CVE-2023-45133
- https://salsa.debian.org/js-team/node-babel/-/commit/ff932dfe976deb4b61b26ffb8f7bd8535df95c4b
- https://bugs.debian.org/1053880
- https://salsa.debian.org/js-team/node-babel/-/commit/b77c2b9b7cdc2a5201bf0f7d258348e5ee5312c3
- https://salsa.debian.org/js-team/node-babel/-/commit/ab1563acf5657fad72235f0cd90f8a709fddc4f4
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053880
- https://nvd.nist.gov/vuln/detail/CVE-2023-45133
- https://babeljs.io/blog/2023/10/16/cve-2023-45133
- https://github.com/advisories/GHSA-67hx-6x53-jw92 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/268647
- https://www.ibm.com/support/pages/node/7096365 (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2023-45133.
What is the impact of this vulnerability?
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()` or `path.evaluateTruthy()` internal Babel methods.
Which versions of @babel/traverse are affected by this vulnerability?
Versions up to and including 8.0.0-alpha.4 of @babel/traverse are affected by this vulnerability.
What other packages or software are affected by this vulnerability?
Other affected packages include node-babel version up to and including 6.26.0+dfsg-3 and node-babel7 versions up to and including 7.12.12+~cs150.141.84-6.
How to remediate this vulnerability?
To remediate this vulnerability, update @babel/traverse to version 8.0.0-alpha.4 or later, node-babel to version 7.23.2 or later, and node-babel7 to version 7.12.12+~cs150.141.84-6 or later.
- collector/nvd-index
- collector/nvd-api
- collector/debian-bugs
- alias/CVE-2023-45133
- collector/security-tracker-debian
- agent/weakness
- agent/type
- collector/ibm-support
- source/IBM
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-67hx-6x53-jw92
- agent/software-canonical-lookup
- agent/remedy
- agent/references
- agent/severity
- agent/author
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- vendor/babeljs
- canonical/babeljs babel
- version/babeljs babel/8.0.0-alpha.0
- version/babeljs babel/8.0.0-alpha.1
- version/babeljs babel/8.0.0-alpha.2
- version/babeljs babel/8.0.0-alpha.3
- canonical/babeljs babel-helper-define-polyfill-provider
- canonical/babeljs babel-plugin-polyfill-corejs2
- canonical/babeljs babel-plugin-polyfill-corejs3
- canonical/babeljs babel-plugin-polyfill-es-shims
- canonical/babeljs babel-plugin-polyfill-regenerator
- canonical/babeljs babel-plugin-transform-runtime
- canonical/babeljs babel-preset-env
- package-manager/debian
- package-manager/npm