CVE-2023-45133

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Description

Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.

Categories

9.3
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.07%
Third-Party Advisory github.com Third-Party Advisory debian.org
Affected: babel babel
Published at:
Updated at:

References

Link Tags
https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92 third party advisory
https://github.com/babel/babel/pull/16033 issue tracking
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82 patch
https://github.com/babel/babel/releases/tag/v7.23.2 patch
https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4 patch
https://www.debian.org/security/2023/dsa-5528 issue tracking
https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2023-45133?
CVE-2023-45133 has been scored as a critical severity vulnerability.
How to fix CVE-2023-45133?
To fix CVE-2023-45133, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-45133 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-45133 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-45133?
CVE-2023-45133 affects babel babel.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.