@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
Description
Impact
Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.
Known affected plugins are: - @babel/plugin-transform-modules-systemjs - @babel/preset-env when using the `modules: "systemjs"` option, as it delegates to @babel/plugin-transform-modules-systemjs
No other plugins under the @babel namespace are impacted.
Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in @babel/plugin-transform-modules-systemjs@7.29.4.
Babel also released @babel/preset-env@7.29.5, updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.
Workarounds
- Pin
@babel/parserto v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade@babel/plugin-transform-modules-systemjsto v7.29.4. - Do not use the
modules: "systemjs"option, migrate the codebase to native ES Modules or any other module formats.
Credits
Babel thanks Daniel Cervera for reporting the vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@babel/plugin-transform-modules-systemjsnpm | >= 7.12.0, < 7.29.4 | 7.29.4 |
@babel/plugin-transform-modules-systemjsnpm | >= 8.0.0-alpha.0, < 8.0.0-alpha.13 | 8.0.0-alpha.13 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.