CVE CyberSecurity Database News

CVE-2023-45133 - Arbitrary Code Execution Vulnerability in Babel JavaScript Compiler

Poster -

Babel is a popular JavaScript compiler that helps developers write code using the latest ECMAScript standards. Recently, a critical arbitrary code execution vulnerability was discovered in @babel/traverse prior to versions 7.23.2 and 8..-alpha.4, and all versions of babel-traverse. This vulnerability could allow attackers to execute arbitrary code during the compilation process when certain plugins are in use. In this post, we will provide an in-depth look at the vulnerability, affected packages, potential exploits, and available patches.

Vulnerability Description

The vulnerability exists in the @babel/traverse and babel-traverse packages when certain plugins use the internal Babel methods path.evaluate() or path.evaluateTruthy(). If attackers can craft specific code to be compiled by one of these vulnerable packages, they can potentially execute arbitrary code during the compilation process.

Some known affected plugins include @babel/plugin-transform-runtime, @babel/preset-env when the useBuiltIns option is used, and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator.

Here's a sample code snippet to demonstrate the issue

const babel = require("@babel/core");
const runtimePlugin = require("@babel/plugin-transform-runtime");

babel.transformSync("malicious_code_here", {
  plugins: [runtimePlugin],
});

This vulnerability impacts users who compile untrusted code with the affected plugins. Note that no other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Original References

- Official Security Advisory on GitHub
- NVD Vulnerability Details - CVE-2023-45133

Exploit Details

To exploit this vulnerability, an attacker needs to craft specific code to be compiled using Babel with one of the affected plugins. When the vulnerable path.evaluate() or path.evaluateTruthy() methods are used during the compilation process by these plugins, arbitrary code execution can occur.

Patch and Upgrade Information

The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8..-alpha.4. If you are using one of the affected packages mentioned earlier, you should upgrade them to their latest versions to avoid triggering the vulnerable code path:

- @babel/plugin-transform-runtime v7.23.2
- @babel/preset-env v7.23.2
- @babel/helper-define-polyfill-provider v.4.3

To upgrade, use the following command

npm install @babel/traverse@7.23.2

or

yarn add @babel/traverse@7.23.2

Conclusion

JavaScript developers using Babel should be aware of this critical arbitrary code execution vulnerability and take necessary precautions. If you are using any of the affected plugins, it's highly recommended to upgrade them and the @babel/traverse package to their latest patched versions. Additionally, always be cautious when compiling untrusted code with Babel or other similar tools, as it might expose your systems to potential risks. Stay safe and keep your projects up-to-date!

Timeline

Published on: 10/12/2023 17:15:09 UTC
Last modified on: 10/24/2023 16:52:20 UTC