CVE-2023-45133: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
(updated )
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-envwhen using itsuseBuiltInsoption- Any “polyfill provider” plugin that depends on
@babel/helper-define-polyfill-provider, such asbabel-plugin-polyfill-corejs3,babel-plugin-polyfill-corejs2,babel-plugin-polyfill-es-shims,babel-plugin-polyfill-regenerator
No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
References
- babeljs.io/blog/2023/10/16/cve-2023-45133
- github.com/advisories/GHSA-67hx-6x53-jw92
- github.com/babel/babel
- github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
- github.com/babel/babel/pull/16033
- github.com/babel/babel/releases/tag/v7.23.2
- github.com/babel/babel/releases/tag/v8.0.0-alpha.4
- github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
- lists.debian.org/debian-lts-announce/2023/10/msg00026.html
- nvd.nist.gov/vuln/detail/CVE-2023-45133
- www.debian.org/security/2023/dsa-5528
Code Behaviors & Features
Detect and mitigate CVE-2023-45133 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →