GHSA-fv7c-fp4j-7gwpHighCVSS 8.2
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
🔗 CVE IDs covered (1)
📋 Description
Impact
Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.
Known affected plugins are:
@babel/plugin-transform-modules-systemjs@babel/preset-envwhen using themodules: "systemjs"option, as it delegates to@babel/plugin-transform-modules-systemjs
No other plugins under the @babel namespace are impacted.
Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in @babel/[email protected].
Babel also released @babel/[email protected], updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.
Workarounds
- Pin
@babel/parserto v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade@babel/plugin-transform-modules-systemjsto v7.29.4. - Do not use the
modules: "systemjs"option, migrate the codebase to native ES Modules or any other module formats.
Credits
Babel thanks Daniel Cervera for reporting the vulnerability.
🎯 Affected products2
- npm/@babel/plugin-transform-modules-systemjs:>= 7.12.0, <= 7.29.3
- npm/@babel/plugin-transform-modules-systemjs:>= 8.0.0-alpha.0, <= 8.0.0-alpha.12