GHSA-FV7C-FP4J-7GWP

Vulnerability from github – Published: 2026-05-08 20:34 – Updated: 2026-05-08 20:34
VLAI
Summary
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
Details

Impact

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Known affected plugins are: - @babel/plugin-transform-modules-systemjs - @babel/preset-env when using the modules: "systemjs" option, as it delegates to @babel/plugin-transform-modules-systemjs

No other plugins under the @babel namespace are impacted.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/plugin-transform-modules-systemjs@7.29.4.

Babel also released @babel/preset-env@7.29.5, updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.

Workarounds

  • Pin @babel/parser to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade @babel/plugin-transform-modules-systemjs to v7.29.4.
  • Do not use the modules: "systemjs" option, migrate the codebase to native ES Modules or any other module formats.

Credits

Babel thanks Daniel Cervera for reporting the vulnerability.

Severity
8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.29.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/plugin-transform-modules-systemjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.12.0"
            },
            {
              "fixed": "7.29.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.0-alpha.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/plugin-transform-modules-systemjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T20:34:07Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-modules-systemjs`\n- `@babel/preset-env` when using the [`modules: \"systemjs\"` option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to `@babel/plugin-transform-modules-systemjs`\n\nNo other plugins under the `@babel` namespace are impacted.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/plugin-transform-modules-systemjs@7.29.4`.\n\nBabel also released `@babel/preset-env@7.29.5`, updating its `@babel/plugin-transform-modules-systemjs` dependency, to simplify forcing the update if you are using `@babel/preset-env` directly.\n\n### Workarounds\n\n- Pin `@babel/parser` to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade `@babel/plugin-transform-modules-systemjs` to v7.29.4.\n- Do not use the `modules: \"systemjs\"` option, migrate the codebase to native ES Modules or any other module formats.\n\n### Credits\nBabel thanks Daniel Cervera for reporting the vulnerability.",
  "id": "GHSA-fv7c-fp4j-7gwp",
  "modified": "2026-05-08T20:34:07Z",
  "published": "2026-05-08T20:34:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/babel/babel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.