CVE-2023-45133

描述

### Impact Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are: - `@babel/plugin-transform-runtime` - `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option - Any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator` No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/[email protected]`. Babel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`. ### Workarounds - Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version. - If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: - `@babel/plugin-transform-runtime` v7.23.2 - `@babel/preset-env` v7.23.2 - `@babel/helper-define-polyfill-provider` v0.4.3 - `babel-plugin-polyfill-corejs2` v0.4.6 - `babel-plugin-polyfill-corejs3` v0.8.5 - `babel-plugin-polyfill-es-shims` v0.10.0 - `babel-plugin-polyfill-regenerator` v0.5.3

受影響套件(5)

• Debian/node-babelfrom 0, < 6.26.0+dfsg-3+deb10u1
• Debian/node-babel7from 0, < 7.12.12+~cs150.141.84-6+deb11u1
• Debian/node-babel7from 0, < 7.12.12+~cs150.141.84-6+deb11u1
• npm/@babel/traversefrom 0, < 7.23.2
• npm/babel-traversefrom 0

CVSS 分數

參考連結(11)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-45133
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-45133
• PATCHhttps://github.com/babel/babel
• WEBhttps://babeljs.io/blog/2023/10/16/cve-2023-45133
• WEBhttps://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
• WEBhttps://github.com/babel/babel/pull/16033
• WEBhttps://github.com/babel/babel/releases/tag/v7.23.2
• WEBhttps://github.com/babel/babel/releases/tag/v8.0.0-alpha.4
• WEBhttps://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
• WEBhttps://lists.debian.org/debian-lts-announce/2023/10/msg00026.html
• WEBhttps://www.debian.org/security/2023/dsa-5528