Babel @babel/plugin-transform-modules-systemjs Arbitrary Code Execution Vulnerability (CVE-2024-44728)

Vulnerability Overview Vulnerability Name: Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs Vulnerability ID: GHSA-h7c-fp4j-7gwp Severity: High (8.2/10) Published Date: 3 weeks ago Reporter: JLHwung Impact Scope Affected Versions: - @babel/plugin-transform-modules-systemjs: 7.12.0 - 7.29.3 - @babel/preset-env: 8.0.0-alpha.0 - 8.0.0-alpha.12, 8.0.0-alpha.13 Impact Description: Using Babel to compile specifically crafted malicious code may cause Babel to generate output code that executes arbitrary code. Known Affected Plugins: - @babel/plugin-transform-modules-systemjs - @babel/preset-env (when using the option, as it delegates to @babel/plugin-transform-modules-systemjs) Other Plugins: Other plugins under the @babel namespace are not affected. User Impact: Users who only compile trusted code are not affected. Remediation Patched Versions: - @babel/plugin-transform-modules-systemjs: 7.29.4 - @babel/preset-env: 7.29.5 Update Recommendations: - Update @babel/plugin-transform-modules-systemjs to 7.29.4. - If using @babel/preset-env directly, also update to 7.29.5. Temporary Solutions: - Downgrade @babel/parser to v7.11.5 (Note: This will completely disable module name resolution and may cause other new language features and build pipelines to fail. It is only recommended for use on legacy codebases where upgrading @babel/plugin-transform-modules-systemjs to v7.29.4 is not possible). - Avoid using the option and migrate the codebase to native ES modules or other module formats. Additional Information CVSS v3 Base Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Confidentiality: High - Integrity: High - Availability: High CVE ID: CVE-2024-44728 Weaknesses: - CWE-94 - CWE-643 Contributors: - JLHwung (Remediation developer) - daniel-nst (Reporter) - nicole-ribaud (Remediation reviewer) Acknowledgments Thanks to Daniel Cervera for reporting this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Babel @babel/plugin-transform-modules-systemjs Arbitrary Code Execution Vulnerability (CVE-2024-44728)

More from this source