Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02N2h4LTZ4NTMtanc5Ms4AA2eW
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Impact
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-envwhen using itsuseBuiltInsoption- Any "polyfill provider" plugin that depends on
@babel/helper-define-polyfill-provider, such asbabel-plugin-polyfill-corejs3,babel-plugin-polyfill-corejs2,babel-plugin-polyfill-es-shims,babel-plugin-polyfill-regenerator
No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in @babel/[email protected].
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
Workarounds
- Upgrade
@babel/traverseto v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies.@babel/core>=7.23.2 will automatically pull in a non-vulnerable version. - If you cannot upgrade
@babel/traverseand are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected@babel/traverseversions:@babel/plugin-transform-runtimev7.23.2@babel/preset-envv7.23.2@babel/helper-define-polyfill-providerv0.4.3babel-plugin-polyfill-corejs2v0.4.6babel-plugin-polyfill-corejs3v0.8.5babel-plugin-polyfill-es-shimsv0.10.0babel-plugin-polyfill-regeneratorv0.5.3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02N2h4LTZ4NTMtanc5Ms4AA2eW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 29 days ago
CVSS Score: 9.4
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-67hx-6x53-jw92, CVE-2023-45133
References:
- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
- https://nvd.nist.gov/vuln/detail/CVE-2023-45133
- https://github.com/babel/babel/pull/16033
- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
- https://github.com/babel/babel/releases/tag/v7.23.2
- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4
- https://www.debian.org/security/2023/dsa-5528
- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html
- https://babeljs.io/blog/2023/10/16/cve-2023-45133
- https://github.com/advisories/GHSA-67hx-6x53-jw92
Blast Radius: 62.6
Affected Packages
npm:babel-traverse
Dependent packages: 1,221Dependent repositories: 1,220,610
Downloads: 12,185,563 last month
Affected Version Ranges: < 7.23.2
No known fixed version
All affected versions: 6.0.2, 6.0.14, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.1.2, 6.1.4, 6.1.17, 6.1.18, 6.1.20, 6.2.0, 6.2.4, 6.3.2, 6.3.13, 6.3.14, 6.3.15, 6.3.16, 6.3.17, 6.3.19, 6.3.21, 6.3.24, 6.3.25, 6.3.26, 6.4.5, 6.5.0, 6.6.0, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.0, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.8.0, 6.9.0, 6.10.4, 6.11.4, 6.12.0, 6.13.0, 6.14.0, 6.15.0, 6.16.0, 6.18.0, 6.19.0, 6.20.0, 6.21.0, 6.22.0, 6.22.1, 6.23.0, 6.23.1, 6.24.1, 6.25.0, 6.26.0
npm:@babel/traverse
Dependent packages: 3,467Dependent repositories: 4,583,249
Downloads: 189,276,867 last month
Affected Version Ranges: >= 8.0.0-alpha.0, < 8.0.0-alpha.4, < 7.23.2
Fixed in: 8.0.0-alpha.4, 7.23.2
All affected versions: 7.0.0, 7.1.0, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.2, 7.2.3, 7.3.4, 7.4.0, 7.4.3, 7.4.4, 7.4.5, 7.5.0, 7.5.5, 7.6.0, 7.6.2, 7.6.3, 7.7.0, 7.7.2, 7.7.4, 7.8.0, 7.8.3, 7.8.4, 7.8.6, 7.9.0, 7.9.5, 7.9.6, 7.10.0, 7.10.1, 7.10.3, 7.10.4, 7.10.5, 7.11.0, 7.11.5, 7.12.0, 7.12.1, 7.12.5, 7.12.7, 7.12.8, 7.12.9, 7.12.10, 7.12.12, 7.12.13, 7.12.17, 7.13.0, 7.13.13, 7.13.15, 7.13.17, 7.14.0, 7.14.2, 7.14.5, 7.14.7, 7.14.8, 7.14.9, 7.15.0, 7.15.4, 7.16.0, 7.16.3, 7.16.5, 7.16.7, 7.16.8, 7.16.10, 7.17.0, 7.17.3, 7.17.9, 7.17.10, 7.17.12, 7.18.0, 7.18.2, 7.18.5, 7.18.6, 7.18.8, 7.18.9, 7.18.10, 7.18.11, 7.18.13, 7.19.0, 7.19.1, 7.19.3, 7.19.4, 7.19.6, 7.20.0, 7.20.1, 7.20.5, 7.20.7, 7.20.8, 7.20.10, 7.20.12, 7.20.13, 7.21.0, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.22.0, 7.22.1, 7.22.4, 7.22.5, 7.22.6, 7.22.7, 7.22.8, 7.22.10, 7.22.11, 7.22.15, 7.22.17, 7.22.18, 7.22.19, 7.22.20, 7.23.0, 8.0.0-alpha.0, 8.0.0-alpha.1, 8.0.0-alpha.2, 8.0.0-alpha.3
All unaffected versions: 7.23.2, 7.23.3, 7.23.4, 7.23.5, 7.23.6, 7.23.7, 7.23.9, 7.24.0, 7.24.1, 7.24.5