EUVD-2026-31946
GHSA-fv7c-fp4j-7gwp
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Impact
Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.
Known affected plugins are:
@babel/plugin-transform-modules-systemjs@babel/preset-envwhen using themodules: "systemjs"option, as it delegates to@babel/plugin-transform-modules-systemjs
No other plugins under the @babel namespace are impacted.
Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in @babel/plugin-transform-modules-systemjs@7.29.4.
Babel also released @babel/preset-env@7.29.5, updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.
Workarounds
- Pin
@babel/parserto v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade@babel/plugin-transform-modules-systemjsto v7.29.4. - Do not use the
modules: "systemjs"option, migrate the codebase to native ES Modules or any other module formats.
Credits
Babel thanks Daniel Cervera for reporting the vulnerability.
Analysis
Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - @babel/plugin-transform-modules-systemjs - @babel/preset-env when using the [modules: "systemjs" option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to @babel/plugin-transform-modules-systemjs No other plugins under the @babel namespace are impacted. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today