Listen to this Post
The vulnerability in `@babel/core` arises when the package processes a specially crafted JavaScript input that contains a malicious `sourceMappingURL` comment. During compilation, Babel reads this comment and attempts to load the specified source map file from the local filesystem. Since the library does not validate or sanitize the URL path, an attacker can supply an absolute or relative path pointing to an arbitrary file on the server. If the victim’s Babel instance processes the attacker-controlled input, the contents of the targeted file are read and embedded into the generated output. This behavior allows an adversary to exfiltrate sensitive system files such as configuration secrets, environment variables, or source code. The attack succeeds only when the attacker controls the input code, can view the output, and knows the exact path of the target file. Trusted compilation pipelines are unaffected. The flaw affects all versions from 8.0.0-alpha.0 to 8.0.0-rc.5 and all versions up to 7.29.0. The Babel team patched the issue in versions 7.29.6 and 8.0.0-rc.6 by adding proper checks that block the loading of external source maps when `inputSourceMap` is not explicitly provided. Users who cannot upgrade immediately can disable the feature by setting `inputSourceMap: false` in their Babel configuration or manually strip and validate any `sourceMappingURL` comments before compilation.
DailyCVE Form:
Platform: ……. @babel/core
Version: …….. 7.29.0 / rc.5
Vulnerability :…… Arbitrary file read
Severity: ……. Low
date: ………. 2026‑06‑13
Prediction: ……… 2026‑06‑15
What Undercode Say:
Simulate a vulnerable compilation that reads /etc/passwd
echo '// sourceMappingURL=/etc/passwd' > malicious.js
npx @babel/core malicious.js --out-file output.js
Check if the file content was embedded
grep "root:" output.js
Workaround: disable input source maps
npx @babel/core malicious.js --out-file output.js --config-file ./babel-config.json
where babel-config.json contains { "inputSourceMap": false }
Exploit:
Craft a JavaScript file with a `sourceMappingURL` comment pointing to a sensitive file (e.g., /etc/passwd, ./.env, /app/config.json). When compiled by a vulnerable Babel version, the contents of the target file are read and included in the output, allowing an attacker to retrieve any file readable by the Babel process.
Protection:
Upgrade to `@babel/[email protected]` or 8.0.0-rc.6. Alternatively, set `inputSourceMap: false` in Babel options, or manually extract and validate all `sourceMappingURL` comments before compilation.
Impact:
An attacker can read arbitrary files from the system running Babel, potentially exposing sensitive data such as secrets, credentials, or proprietary source code, leading to privilege escalation or further compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
