Listen to this Post
The vulnerability in Babel’s SystemJS module transformation (CVE-NotDisclosed) arises when an attacker supplies malicious JavaScript code to be compiled. Babel’s `@babel/plugin-transform-modules-systemjs` (or `@babel/preset-env` with modules: "systemjs") fails to sanitize certain module specifier strings. Specifically, the plugin improperly handles crafted `System.register` calls or string literals that can escape the module wrapping. An attacker can embed arbitrary JavaScript expressions inside a module name, which Babel then interpolates into the generated output without proper escaping. During compilation, Babel parses the input and transforms import/export statements into SystemJS format. If a module specifier contains something like "'; console.log(evil);//", the plugin may concatenate it directly into the output code. This concatenation happens when building the `System.register` call arguments. As a result, the compiled output becomes a malicious script that executes arbitrary code when loaded. The attack requires the victim to compile untrusted code using Babel with the SystemJS module format enabled. No other plugins are affected, and compiling trusted code is safe. The root cause is insufficient validation of module names before string interpolation. Patches replace unsafe concatenation with proper escaping or validation, preventing code injection.
Platform: Node.js Babel
Version: <7.29.4
Vulnerability: Arbitrary Code Execution
Severity: Critical
Date: Unknown
Prediction: Already Patched (7.29.4)
What Undercode Say:
Check current Babel plugin version npm list @babel/plugin-transform-modules-systemjs Update to patched version npm install @babel/[email protected] If using preset-env with systemjs npm install @babel/[email protected] Verify version after update npm list @babel/plugin-transform-modules-systemjs | grep 7.29.4 Audit for vulnerable versions (before 7.29.4) npm audit | grep systemjs
// Vulnerable code example (simplified) // Input: "import 'a\';console.log(1);//'" // Output might become: System.register(['a';console.log(1);//'], ...) // Patched code - adds escaping // System.register(['a\';console.log(1);//'], ...) -> rejected or escaped
Exploit:
Craft a JavaScript file with a module specifier containing injected code, e.g., import "'; console.log('pwned');//". When compiled with vulnerable Babel and SystemJS, the output becomes System.register(["'; console.log('pwned');//"], ...), executing the console.log when the module is loaded.
Protection from this CVE
- Upgrade `@babel/plugin-transform-modules-systemjs` to >=7.29.4 or `@babel/preset-env` to >=7.29.5.
- Avoid using
modules: "systemjs"; switch to native ES modules or other formats. - Pin `@babel/parser` to v7.11.5 as a temporary workaround (disables string module name parsing but may break features).
- Only compile trusted code from verified sources.
Impact
Remote code execution during compilation. An attacker who controls the input source code can execute arbitrary commands on the machine running Babel, potentially leading to data theft, crypto mining, or full system compromise. Critical for CI/CD pipelines that compile untrusted third-party code.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
