CVE-2025-27789 - Potential Quadratic Complexity in Babel’s Generated Replace Method for Regular Expression Named Capturing Groups

Babel is a popular JavaScript compiler that allows developers to use next-generation JavaScript syntax in their projects while still maintaining compatibility with older browsers. Recently, a vulnerability known as CVE-2025-27789 has been discovered, affecting certain versions of Babel (prior to 7.26.10 and 8..-alpha.17) when compiling regular expression named capturing groups.

Affected Versions and Exploit Details

In affected Babel versions, the generated code can have quadratic complexity when using the .replace method on a specific pattern string. This means that the complexity of the operation increases exponentially as the size of the input string increases. This issue affects users who meet all the following conditions:

Here's an example code snippet that demonstrates the issue

// Using Babel to compile regular expression named capturing groups
const regex = /(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})/;

// Using the .replace method on a regular expression that contains named capturing groups
const formatted = '2021-09-27'.replace(regex, 'Day: $<day>, Month: $<month>, Year: $<year>');

// Using untrusted strings as the second argument of .replace
const userInput = '...'; // Untrusted input
const result = input.replace(regex, userInput);

Original References

1. CVE-2025-27789 - GitHub Advisory
2. Babel Changelog - 7.26.10

Solution and Workarounds

The issue has been fixed in @babel/helpers and @babel/runtime versions 7.26.10 and 8..-alpha.17. While individual users might not depend directly on @babel/helpers, it is recommended to update to @babel/core version 7.26.10 as it depends on a newer version of @babel/helpers.

However, updating Babel dependencies alone is not enough. Users should also re-compile their code to ensure that the vulnerability is fully resolved. Currently, there are no known workarounds for this issue.

Conclusion

In conclusion, developers using Babel to compile regular expression named capturing groups should be aware of the CVE-2025-27789 vulnerability and act accordingly. By updating their Babel dependencies and re-compiling the code, they can ensure that their projects are no longer susceptible to the potential risks posed by this quadratic complexity issue.

Timeline

Published on: 03/11/2025 20:15:18 UTC