CVE-2023-45133Incomplete List of Disallowed Inputs in Babel

CWE-184Incomplete List of Disallowed InputsCWE-697Incorrect Comparison8 documents7 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 74.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
BabelBabeljs BabelBabeljs Babel-helper-define-polyfill-provider+10 more
Timeline
PublishedOct 12
Latest updateNov 13

Description

Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; an

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages12 packages

Also affects: Debian Linux 10.0, 11.0, 12.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code2023-10-16
OSV
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code2023-10-16
OSV
CVE-2023-45133: Babel is a compiler for writingJavaScript2023-10-12

📋Vendor Advisories

4
CISA ICS
Siemens COMOS2025-11-13
Red Hat
babel: arbitrary code execution2023-10-11
Microsoft
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code2023-10-10
Debian
CVE-2023-45133: node-babel7 - Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to version...2023