CVE-2023-45133: Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using...

Description

Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.52%

40.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Debian	Debian Linux	10.0	—
Debian	Debian Linux	11.0	—
Debian	Debian Linux	12.0	—
Babeljs	Babel	< 7.23.2	—
Babeljs	Babel	8.0.0	Alpha.0
Babeljs	Babel-Helper-Define-Polyfill-Provider	< 0.4.3	—
Babeljs	Babel-Plugin-Polyfill-Corejs2	< 0.4.6	—
Babeljs	Babel-Plugin-Polyfill-Corejs3	< 0.8.5	—
Babeljs	Babel-Plugin-Polyfill-Es-Shims	< 0.10.0	—
Babeljs	Babel-Plugin-Polyfill-Regenerator	< 0.5.3	—
Babeljs	Babel-Plugin-Transform-Runtime	< 7.23.2	—
Babeljs	Babel-Preset-Env	< 7.23.2	—

References

https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82Patch
https://github.com/babel/babel/pull/16033Issue Tracking
https://github.com/babel/babel/releases/tag/v7.23.2Patch
https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4Patch
https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00026.htmlMailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5528Issue Tracking
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82Patch
https://github.com/babel/babel/pull/16033Issue Tracking
https://github.com/babel/babel/releases/tag/v7.23.2Patch
https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4Patch
https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00026.htmlMailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5528Issue Tracking

Timeline

Published: Oct 12, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-45133?

Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.

How severe is CVE-2023-45133?

CVE-2023-45133 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.52% probability of exploitation in the next 30 days.

How do I fix CVE-2023-45133?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.