CVE-2026-49356

Description

## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read **Users that only compile trusted code are not impacted.** ## Patches The vulnerability has been fixed in `@babel/[email protected]` and `@babel/[email protected]`. ## Workarounds Callers can mitigate the issue without upgrading by setting [`inputSourceMap: false`](https://babeljs.io/docs/options#inputsourcemap) in their Babel options. Callers can also manually extract the `#sourceMappingURL` comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to `inputSourceMap` (passing `false` when it's not). ## Credits Thanks Teodor-Cristian Radoi for reporting the vulnerability.

How to fix CVE-2026-49356

To remediate CVE-2026-49356, upgrade the affected package to a fixed version below.

• —upgrade to 8.0.0-rc.6 or later

Is CVE-2026-49356 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49356.

Affected packages (1)

• >= 8.0.0-alpha.0, < 8.0.0-rc.6

CVSS scores

References (3)

• PATCHgithub.com/babel/babel
• WEBbabeljs.io/docs/options#inputsourcemap
• WEBgithub.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8