CVE-2026-49356: @babel/core: Arbitrary File Read via sourceMappingURL Comment

June 15, 2026

Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true:

the attacker controls the input source code
the attacker can read the output source code
the attacker knows the path of the source map file that they want to read

Users that only compile trusted code are not impacted.

References

babeljs.io/docs/options
github.com/advisories/GHSA-4x5r-pxfx-6jf8
github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8
nvd.nist.gov/vuln/detail/CVE-2026-49356

Code Behaviors & Features

Detect and mitigate CVE-2026-49356 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →