PT-2023-9458 · Babel+3 · @Babel/Plugin-Transform-Runtime+6
Steakenthusiast
·
Published
2023-10-04
·
Updated
2026-06-04
·
CVE-2023-45133
CVSS v3.1
9.3
Critical
| Vector | AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
@babel/traverse versions prior to 7.23.2 and 8.0.0-alpha.4
babel-traverse (all versions)
Description
The issue is related to the
path.evaluate() or path.evaluateTruthy() internal Babel methods. Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on these methods. Known affected plugins are @babel/plugin-transform-runtime, @babel/preset-env when using its useBuiltIns option, and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. Users that only compile trusted code are not impacted.Recommendations
- Upgrade
@babel/traverseto v7.23.2 or higher. - If you cannot upgrade
@babel/traverseand are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected@babel/traverseversions: @babel/plugin-transform-runtimev7.23.2@babel/preset-envv7.23.2@babel/helper-define-polyfill-providerv0.4.3babel-plugin-polyfill-corejs2v0.4.6babel-plugin-polyfill-corejs3v0.8.5babel-plugin-polyfill-es-shimsv0.10.0babel-plugin-polyfill-regeneratorv0.5.3
Exploit
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Babel/Helper-Define-Polyfill-Provider
@Babel/Plugin-Transform-Runtime
@Babel/Preset-Env
@Babel/Traverse
Astra Linux
Bitbucket
Red Os