{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@babel/preset-env/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@babel/plugin-transform-modules-systemjs","@babel/preset-env"],"_cs_severities":["high"],"_cs_tags":["code-generation","arbitrary-code-execution","babel"],"_cs_type":"advisory","_cs_vendors":["Babel"],"content_html":"\u003cp\u003eA vulnerability exists in Babel\u0026rsquo;s \u003ccode\u003e@babel/plugin-transform-modules-systemjs\u003c/code\u003e plugin and \u003ccode\u003e@babel/preset-env\u003c/code\u003e when configured with the \u003ccode\u003emodules: \u0026quot;systemjs\u0026quot;\u003c/code\u003e option. An attacker can supply a specially crafted input to Babel, causing the tool to generate malicious output code that results in arbitrary code execution when processed. This vulnerability impacts versions of \u003ccode\u003e@babel/plugin-transform-modules-systemjs\u003c/code\u003e between 7.12.0 and 7.29.3, as well as versions between 8.0.0-alpha.0 and 8.0.0-alpha.12. The \u003ccode\u003e@babel/preset-env\u003c/code\u003e is vulnerable when it uses the vulnerable \u003ccode\u003e@babel/plugin-transform-modules-systemjs\u003c/code\u003e. This vulnerability, reported by Daniel Cervera, does not affect users who only compile trusted code, meaning developers who compile user-submitted code are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious JavaScript input file designed to exploit the code generation flaw in Babel.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the malicious JavaScript file to a vulnerable Babel instance for compilation. This could occur through various means, such as a build process.\u003c/li\u003e\n\u003cli\u003eBabel, using either \u003ccode\u003e@babel/plugin-transform-modules-systemjs\u003c/code\u003e or \u003ccode\u003e@babel/preset-env\u003c/code\u003e with the \u003ccode\u003emodules: \u0026quot;systemjs\u0026quot;\u003c/code\u003e option, processes the malicious input file.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Babel generates a malicious JavaScript output file containing attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe generated malicious JavaScript file is then included in a web application or other JavaScript runtime environment.\u003c/li\u003e\n\u003cli\u003eA user or process executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes arbitrary commands on the system or within the application\u0026rsquo;s context.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access, modifies data, or disrupts services, depending on the permissions available to the executed code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code in the context of the Babel process. This can lead to a variety of impacts, including but not limited to, unauthorized access to sensitive data, modification of application code, or complete system compromise, depending on where and how the compiled code is used. The severity is high because it can potentially give an attacker complete control over the system if the compiled output is run in a privileged environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@babel/plugin-transform-modules-systemjs\u003c/code\u003e to version 7.29.4 or later. If using \u003ccode\u003e@babel/preset-env\u003c/code\u003e, upgrade to version 7.29.5 to pull in the updated \u003ccode\u003e@babel/plugin-transform-modules-systemjs\u003c/code\u003e dependency.\u003c/li\u003e\n\u003cli\u003eApply the provided Sigma rule \u003ccode\u003eDetect CVE-2026-44728 Babel Code Generation Vulnerability\u003c/code\u003e to identify potential exploitation attempts based on process execution with Babel.\u003c/li\u003e\n\u003cli\u003eConsider migrating away from the \u003ccode\u003emodules: \u0026quot;systemjs\u0026quot;\u003c/code\u003e option to native ES Modules or other module formats to avoid this type of vulnerability.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, and you\u0026rsquo;re working with a legacy codebase, consider pinning \u003ccode\u003e@babel/parser\u003c/code\u003e to v7.11.5, however, be aware of the potential impact on other language features.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T20:34:07Z","date_published":"2026-05-08T20:34:07Z","id":"/briefs/2024-01-08-babel-code-execution/","summary":"A maliciously crafted input to Babel's `@babel/plugin-transform-modules-systemjs` or `@babel/preset-env` with `modules: 'systemjs'` can cause the tool to generate arbitrary code execution.","title":"Babel Plugin Vulnerability Leads to Arbitrary Code Execution via Malicious Input","url":"https://feed.craftedsignal.io/briefs/2024-01-08-babel-code-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — @Babel/Preset-Env","version":"https://jsonfeed.org/version/1.1"}