CVE-2023-45133
📋 TL;DR
This vulnerability in Babel's @babel/traverse allows arbitrary code execution during JavaScript compilation when processing maliciously crafted code. It affects users who compile untrusted code using specific Babel plugins that rely on path.evaluate() or path.evaluateTruthy() methods. Only users compiling untrusted code are impacted.
💻 Affected Systems
- @babel/traverse
- babel-traverse
- @babel/plugin-transform-runtime
- @babel/preset-env
- @babel/helper-define-polyfill-provider
- babel-plugin-polyfill-corejs3
- babel-plugin-polyfill-corejs2
- babel-plugin-polyfill-es-shims
- babel-plugin-polyfill-regenerator
📦 What is this software?
Babel by Babeljs
Babel by Babeljs
Babel by Babeljs
Babel by Babeljs
Babel by Babeljs
Babel Helper Define Polyfill Provider by Babeljs
View all CVEs affecting Babel Helper Define Polyfill Provider →
Babel Plugin Polyfill Regenerator by Babeljs
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on the compilation server, potentially leading to full system compromise and data exfiltration.
Likely Case
Compilation server compromise allowing attacker to execute arbitrary code in the compilation environment.
If Mitigated
No impact if only compiling trusted code or using unaffected plugins.
🎯 Exploit Status
Exploitation requires crafting malicious JavaScript code that triggers vulnerable code paths during compilation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @babel/traverse@7.23.2 or @babel/traverse@8.0.0-alpha.4
Vendor Advisory: https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
Restart Required: No
Instructions:
1. Update @babel/traverse to v7.23.2 or v8.0.0-alpha.4. 2. Update affected plugins: @babel/plugin-transform-runtime to v7.23.2, @babel/preset-env to v7.23.2, @babel/helper-define-polyfill-provider to v0.4.3, babel-plugin-polyfill-corejs2 to v0.4.6, babel-plugin-polyfill-corejs3 to v0.8.5, babel-plugin-polyfill-es-shims to v0.10.0, babel-plugin-polyfill-regenerator to v0.5.3.
🔧 Temporary Workarounds
Disable affected plugins
allRemove or disable vulnerable plugins if not essential
Remove affected plugins from babel.config.js or .babelrc
Restrict code compilation
allOnly compile trusted code sources
🧯 If You Can't Patch
- Isolate compilation environment in sandbox/container
- Implement strict input validation for compiled code
🔍 How to Verify
Check if Vulnerable:
Check package.json or lock files for vulnerable versions of @babel/traverse (<7.23.2) or affected pluginsCheck Version:
npm list @babel/traverse @babel/plugin-transform-runtime @babel/preset-env @babel/helper-define-polyfill-providerVerify Fix Applied:
Verify installed versions match patched versions: @babel/traverse >=7.23.2 or >=8.0.0-alpha.4📡 Detection & Monitoring
Log Indicators:
- Unusual compilation errors
- Suspicious code patterns in compilation input
- Unexpected process execution during compilation
Network Indicators:
- Outbound connections from compilation process to unexpected destinations
SIEM Query:
Process execution from babel or node processes with unusual arguments or parent processes🔗 References
- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
- https://github.com/babel/babel/pull/16033
- https://github.com/babel/babel/releases/tag/v7.23.2
- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4
- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html
- https://www.debian.org/security/2023/dsa-5528
- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
- https://github.com/babel/babel/pull/16033
- https://github.com/babel/babel/releases/tag/v7.23.2
- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4
- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html
- https://www.debian.org/security/2023/dsa-5528
