GHSA-fv7c-fp4j-7gwpHighCVSS 8.2

@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input

Published
May 8, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Known affected plugins are:

  • @babel/plugin-transform-modules-systemjs
  • @babel/preset-env when using the modules: "systemjs" option, as it delegates to @babel/plugin-transform-modules-systemjs

No other plugins under the @babel namespace are impacted.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/[email protected].

Babel also released @babel/[email protected], updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.

Workarounds

  • Pin @babel/parser to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade @babel/plugin-transform-modules-systemjs to v7.29.4.
  • Do not use the modules: "systemjs" option, migrate the codebase to native ES Modules or any other module formats.

Credits

Babel thanks Daniel Cervera for reporting the vulnerability.

🎯 Affected products2

  • npm/@babel/plugin-transform-modules-systemjs:>= 7.12.0, <= 7.29.3
  • npm/@babel/plugin-transform-modules-systemjs:>= 8.0.0-alpha.0, <= 8.0.0-alpha.12

🔗 References (3)