Skip to main content

Babel

13 CVEs tool

Monthly

CVE-2026-44728 npm HIGH PATCH GHSA This Week

### Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - `@babel/plugin-transform-modules-systemjs` - `@babel/preset-env` when using the [`modules: "systemjs"` option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to `@babel/plugin-transform-modules-systemjs` No other plugins under the `@babel` namespace are impacted. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/plugin-transform-modules-systemjs@7.29.4`. Babel also released `@babel/preset-env@7.29.5`, updating its `@babel/plugin-transform-modules-systemjs` dependency, to simplify forcing the update if you are using `@babel/preset-env` directly. ### Workarounds - Pin `@babel/parser` to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade `@babel/plugin-transform-modules-systemjs` to v7.29.4. - Do not use the `modules: "systemjs"` option, migrate the codebase to native ES Modules or any other module formats. ### Credits Babel thanks Daniel Cervera for reporting the vulnerability.

Code Injection RCE Suse Babel
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-3408 PyPI LOW POC PATCH GHSA Monitor

Open Babel versions up to 3.1.1 contain a null pointer dereference in the CDXML file handler's OBAtom::GetExplicitValence function, allowing remote attackers to crash the application through maliciously crafted files. Public exploit code exists for this vulnerability, making it a practical attack vector for denial of service. A patch is available and should be applied to all affected installations.

Denial Of Service Open Babel Babel
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2705 PyPI LOW POC PATCH GHSA Monitor

Out-of-bounds memory reads in Open Babel's MOL2 file handler (via OBAtom::SetFormalCharge function) allow remote attackers to trigger denial of service through malicious molecule files. Public exploit code is available for this vulnerability, which remains unpatched as of the advisory date. Versions up to 3.1.1 are affected.

Buffer Overflow Open Babel Babel
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2704 PyPI LOW POC PATCH GHSA Monitor

Out-of-bounds read in Open Babel's CIF file handler (versions up to 3.1.1) allows remote denial of service when processing malicious files. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can trigger a crash by sending specially crafted input to the affected transform3d function without requiring authentication or user interaction beyond opening a file.

Buffer Overflow Open Babel Babel
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-11000 PyPI LOW POC PATCH GHSA Monitor

A vulnerability was determined in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Babel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10999 PyPI LOW POC PATCH GHSA Monitor

A vulnerability was found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Babel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10998 PyPI LOW POC PATCH GHSA Monitor

A vulnerability has been found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Babel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10997 PyPI LOW POC PATCH GHSA Monitor

A flaw has been found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Babel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10996 PyPI LOW POC PATCH GHSA Monitor

A vulnerability was detected in Open Babel up to 3.1.1.cpp. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Babel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10995 PyPI LOW POC PATCH GHSA Monitor

A security vulnerability has been detected in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Babel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-10994 PyPI LOW POC PATCH GHSA Monitor

A weakness has been identified in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Babel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2023-45133 npm HIGH PATCH This Week

Babel is a compiler for writingJavaScript. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

RCE Debian Linux Babel Babel Helper Define Polyfill Provider Babel Plugin Polyfill Corejs2 +5
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-42771 PyPI HIGH POC PATCH This Week

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Path Traversal RCE Babel Debian Linux
NVD GitHub
CVSS 3.1
7.8
EPSS
0.7%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

### Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - `@babel/plugin-transform-modules-systemjs` - `@babel/preset-env` when using the [`modules: "systemjs"` option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to `@babel/plugin-transform-modules-systemjs` No other plugins under the `@babel` namespace are impacted. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/plugin-transform-modules-systemjs@7.29.4`. Babel also released `@babel/preset-env@7.29.5`, updating its `@babel/plugin-transform-modules-systemjs` dependency, to simplify forcing the update if you are using `@babel/preset-env` directly. ### Workarounds - Pin `@babel/parser` to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade `@babel/plugin-transform-modules-systemjs` to v7.29.4. - Do not use the `modules: "systemjs"` option, migrate the codebase to native ES Modules or any other module formats. ### Credits Babel thanks Daniel Cervera for reporting the vulnerability.

Code Injection RCE Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Open Babel versions up to 3.1.1 contain a null pointer dereference in the CDXML file handler's OBAtom::GetExplicitValence function, allowing remote attackers to crash the application through maliciously crafted files. Public exploit code exists for this vulnerability, making it a practical attack vector for denial of service. A patch is available and should be applied to all affected installations.

Denial Of Service Open Babel Babel
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Out-of-bounds memory reads in Open Babel's MOL2 file handler (via OBAtom::SetFormalCharge function) allow remote attackers to trigger denial of service through malicious molecule files. Public exploit code is available for this vulnerability, which remains unpatched as of the advisory date. Versions up to 3.1.1 are affected.

Buffer Overflow Open Babel Babel
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Out-of-bounds read in Open Babel's CIF file handler (versions up to 3.1.1) allows remote denial of service when processing malicious files. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can trigger a crash by sending specially crafted input to the affected transform3d function without requiring authentication or user interaction beyond opening a file.

Buffer Overflow Open Babel Babel
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A vulnerability was determined in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Babel
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A vulnerability was found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Babel
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A vulnerability has been found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Babel
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A flaw has been found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Babel
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A vulnerability was detected in Open Babel up to 3.1.1.cpp. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Babel
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A security vulnerability has been detected in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Babel
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

A weakness has been identified in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Babel
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Babel is a compiler for writingJavaScript. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

RCE Debian Linux Babel +7
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Path Traversal RCE +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy