CVE-2026-49356
@babel/core: Arbitrary File Read via sourceMappingURL Comment
描述
## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read **Users that only compile trusted code are not impacted.** ## Patches The vulnerability has been fixed in `@babel/[email protected]` and `@babel/[email protected]`. ## Workarounds Callers can mitigate the issue without upgrading by setting [`inputSourceMap: false`](https://babeljs.io/docs/options#inputsourcemap) in their Babel options. Callers can also manually extract the `#sourceMappingURL` comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to `inputSourceMap` (passing `false` when it's not). ## Credits Thanks Teodor-Cristian Radoi for reporting the vulnerability.
如何修補 CVE-2026-49356
要修補 CVE-2026-49356,請將受影響套件升級到下列已修補版本。
- —升級至 8.0.0-rc.6 或更新版本
CVE-2026-49356 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-49356 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- >= 8.0.0-alpha.0, < 8.0.0-rc.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.2 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |