How to fix CVE-2025-27789?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Babel affected by CVE-2025-27789?

Organizations using Babel should be aware of moderate risk from CVE-2025-27789 rated CVSS 6.2. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and monitor for exploitation.

Babel CVE-2025-27789

MEDIUM

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2025-03-11 [email protected]

GHSA-968p-4wvh-cqc8

Denial Of Service

6.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 19:52 vuln.today

CVE Published

Mar 11, 2025 - 20:15 nvd

MEDIUM 6.2

DescriptionNVD

Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the .replace method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of .replace. This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on @babel/helpers, and instead depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees use of a new enough @babel/helpers version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.

AnalysisAI

Technical ContextAI

This vulnerability (CWE-1333: Inefficient Regular Expression Complexity (ReDoS)) affects Babel is a compiler for writing next generation JavaScript. When using versions of Babel. Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, usi

Affected ProductsAI

Product: Babel is a compiler for writing next generation JavaScript. When using versions of Babel. Versions: up to 7.26.10.

RemediationAI

Monitor vendor advisories for a patch.

CVE-2025-27789 vulnerability details – vuln.today

Back

Babel CVE-2025-27789

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code