CVE-2025-27789

Name of the Vulnerable Software and Affected Versions: Babel versions prior to 7.26.10 Babel versions prior to 8.0.0-alpha.17

Description: The issue arises when using Babel to compile regular expression named capturing groups and the .replace method on a regular expression that contains named capturing groups, with the code using untrusted strings as the second argument of .replace. This results in generated code with quadratic complexity on some specific replacement pattern strings.

Recommendations: For Babel versions prior to 7.26.10, upgrade @babel/helpers and @babel/runtime to 7.26.10 and re-compile the code. For Babel versions prior to 8.0.0-alpha.17, upgrade @babel/helpers and @babel/runtime to 8.0.0-alpha.17 and re-compile the code. As a temporary workaround, consider avoiding the use of untrusted strings as the second argument of .replace until a patch is applied and the code is re-compiled.