Babel Compiler Vulnerability Could Allow Hackers to Execute Arbitrary Code

CVSScvssV3_1: 9.4

Babel is a popular open source compiler for JavaScript that allows developers to write code in the latest JavaScript syntax and compile it down to a version that can run in older browsers. A vulnerability has been discovered in Babel that could allow attackers to execute arbitrary code during the compilation process if specially crafted malicious code is compiled.

The vulnerability exists in the way Babel handles path evaluation during compilation when using certain plugins. Plugins like @babel/plugin-transform-runtime and @babel/preset-env are affected when using specific options. This allows an attacker who can supply code to the compiler to potentially execute malicious code on the user’s machine during compilation.

If you use Babel, it’s important to make sure you are on the latest versions that contain the fix – @babel/traverse@7.23.2 or above. Users of affected plugins should also upgrade them. Only compiling trusted, untampered code from reliable sources can fully prevent exploitation.

While Babel is used widely by developers, taking some basic precautions can help protect yourself from this vulnerability until upgrades are possible. Be cautious of any third-party code and never compile unknown or untrusted code when developing with Babel. Staying on top of updates for Babel itself and any plugins is also recommended.