CVE-2023-45133
arbitrary code execution vulnerability in @babel/traverse
What is CVE-2023-45133 About?
This vulnerability allows arbitrary code execution during compilation in Babel when compiling specially crafted code using specific plugins. It affects plugins relying on `path.evaluate()` or `path.evaluateTruthy()` methods. The impact includes executing attacker-controlled code on the compilation server, posing a significant risk to the build process.
Affected Software
- @babel/traverse
- >8.0.0-alpha.0, <8.0.0-alpha.4
- <7.23.2
Technical Details
The vulnerability exists within `@babel/traverse`, specifically when certain Babel plugins that rely on internal methods like `path.evaluate()` or `path.evaluateTruthy()` process attacker-crafted code. If an attacker provides malicious code to be compiled, these methods, instead of safely evaluating expressions or their truthiness, can be forced to execute arbitrary attacker-supplied code within the Node.js environment where Babel is running. This occurs during the static analysis phase of compilation. Known affected plugins that can trigger this flaw include `@babel/plugin-transform-runtime`, `@babel/preset-env` (with `useBuiltIns`), and others that depend on `@babel/helper-define-polyfill-provider`.
What is the Impact of CVE-2023-45133?
Successful exploitation may allow attackers to execute arbitrary code on the compilation system during the Babel compilation process, leading to supply chain attacks or system compromise.
What is the Exploitability of CVE-2023-45133?
Exploitation requires an attacker to be able to supply specially crafted code for compilation by Babel. This is a local code execution vulnerability within the build environment. No authentication is typically needed for the act of compilation itself, but the attacker must have a vector to introduce their malicious code into the build process (e.g., through a compromised dependency or direct contribution). The complexity is moderate, requiring an understanding of Babel's internal mechanisms and how `path.evaluate()` is used by specific plugins. The primary risk factor is compiling untrusted or open-source codebases, especially in CI/CD pipelines, increasing the likelihood of exposure.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-45133?
About the Fix from Resolved Security
The patch restricts method evaluation to only those that are defined directly on the target object, instead of allowing evaluation of inherited properties from the object's prototype chain. This mitigates CVE-2023-45133 by preventing attackers from triggering arbitrary prototype methods, such as hasOwnProperty, which could lead to unexpected or unsafe code execution during evaluation.
Available Upgrade Options
- @babel/traverse
- <7.23.2 → Upgrade to 7.23.2
- @babel/traverse
- >8.0.0-alpha.0, <8.0.0-alpha.4 → Upgrade to 8.0.0-alpha.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html
- https://github.com/babel/babel/releases/tag/v7.23.2
- https://github.com/babel/babel/pull/16033
- https://osv.dev/vulnerability/GHSA-67hx-6x53-jw92
- https://www.debian.org/security/2023/dsa-5528
- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4
- https://github.com/babel/babel
- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html
- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
- https://www.debian.org/security/2023/dsa-5528
What are Similar Vulnerabilities to CVE-2023-45133?
Similar Vulnerabilities: CVE-2022-24756 , CVE-2021-23386 , CVE-2023-28154 , CVE-2022-0235 , CVE-2022-29007
