NVD Vulnerability Detail
Search Exploit, PoC
CVE-2023-45133
Summary

Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.

Publication Date Oct. 13, 2023, 2:15 a.m.
Registration Date Oct. 13, 2023, 10 a.m.
Last Update Nov. 21, 2024, 5:26 p.m.
CVSS3.1 : HIGH
スコア 8.8
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
攻撃元区分(AV) ローカル
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更あり
機密性への影響(C)
完全性への影響(I)
可用性への影響(A)
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
Configuration2 or higher or less more than less than
cpe:2.3:a:babeljs:babel:8.0.0:alpha.1:*:*:*:nodejs:*:*
cpe:2.3:a:babeljs:babel:8.0.0:alpha.2:*:*:*:nodejs:*:*
cpe:2.3:a:babeljs:babel:8.0.0:alpha.3:*:*:*:nodejs:*:*
cpe:2.3:a:babeljs:babel:8.0.0:alpha.0:*:*:*:nodejs:*:*
cpe:2.3:a:babeljs:babel:*:*:*:*:*:nodejs:*:* 7.23.2
Configuration3 or higher or less more than less than
cpe:2.3:a:babeljs:babel-plugin-polyfill-regenerator:*:*:*:*:*:nodejs:*:* 0.5.3
cpe:2.3:a:babeljs:babel-plugin-polyfill-es-shims:*:*:*:*:*:nodejs:*:* 0.10.0
cpe:2.3:a:babeljs:babel-plugin-polyfill-corejs3:*:*:*:*:*:nodejs:*:* 0.8.5
cpe:2.3:a:babeljs:babel-plugin-polyfill-corejs2:*:*:*:*:*:nodejs:*:* 0.4.6
cpe:2.3:a:babeljs:babel-helper-define-polyfill-provider:*:*:*:*:*:nodejs:*:* 0.4.3
cpe:2.3:a:babeljs:babel-preset-env:*:*:*:*:*:nodejs:*:* 7.23.2
cpe:2.3:a:babeljs:babel-plugin-transform-runtime:*:*:*:*:*:nodejs:*:* 7.23.2
Related information, measures and tools
Common Vulnerabilities List

JVN Vulnerability Information
Debian の Debian GNU/Linux 等複数ベンダの製品における不適切な比較に関する脆弱性
Title Debian の Debian GNU/Linux 等複数ベンダの製品における不適切な比較に関する脆弱性
Summary

Debian の Debian GNU/Linux 等複数ベンダの製品には、不適切な比較に関する脆弱性が存在します。

Possible impacts 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution

ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。

Publication Date Oct. 12, 2023, midnight
Registration Date Dec. 27, 2023, 2:23 p.m.
Last Update Nov. 17, 2025, 2:08 p.m.
Affected System
babeljs
babel 7.23.2 未満
babel 8.0.0
babel-helper-define-polyfill-provider 0.4.3 未満
babel-plugin-polyfill-corejs2 0.4.6 未満
babel-plugin-polyfill-corejs3 0.8.5 未満
babel-plugin-polyfill-es-shims 0.10.0 未満
babel-plugin-polyfill-regenerator 0.5.3 未満
babel-plugin-transform-runtime 7.23.2 未満
babel-preset-env 7.23.2 未満
Debian
Debian GNU/Linux 10.0
Debian GNU/Linux 11.0
Debian GNU/Linux 12.0
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
その他
Change Log
No Changed Details Date of change
1 [2023年12月27日]
  掲載
Dec. 27, 2023, 2:23 p.m.
2 [2025年11月17日]
  参考情報:JVN (JVNVU#97698216) を追加
  参考情報:ICS-CERT ADVISORY (ICSA-25-317-15) を追加
Nov. 17, 2025, 1:45 p.m.