CVE-2023-45133 in Traverseinfo

Summary

by MITRE • 10/25/2023

Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/[email protected]` and `@babel/[email protected]`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/31/2023

The vulnerability CVE-2023-45133 represents a critical arbitrary code execution flaw within the Babel JavaScript compiler ecosystem, specifically affecting the `babel/traverse` module. This vulnerability stems from improper handling of attacker-crafted code during the compilation process, particularly when utilizing certain internal evaluation methods. The flaw exists in versions prior to 7.23.2 and 8.0.0-alpha.4 of `babel/traverse` and all versions of `babel-traverse`, creating a significant security risk for developers who process untrusted code through Babel's compilation pipeline. The vulnerability operates through the `path.evaluate()` and `path.evaluateTruthy()` internal methods, which are core components of Babel's traversal system responsible for analyzing and evaluating code expressions during compilation.

The technical exploitation of this vulnerability occurs when Babel processes maliciously crafted JavaScript code through plugins that depend on the vulnerable evaluation methods. The affected plugins include `babel/plugin-transform-runtime`, `babel/preset-env` with the `useBuiltIns` option, and various polyfill provider plugins such as `babel-plugin-polyfill-corejs3` and `babel-plugin-polyfill-regenerator`. These plugins leverage the internal evaluation capabilities to perform code transformations, but the flawed implementation allows attackers to inject malicious code that gets executed during the compilation phase rather than being treated as static code analysis. This represents a classic code injection vulnerability where the compilation process itself becomes an attack vector for arbitrary code execution.

The operational impact of this vulnerability is severe for organizations and developers who process untrusted JavaScript input through Babel's compilation pipeline, particularly in environments where code transformation occurs on user-submitted content or third-party libraries. Attackers could exploit this vulnerability to execute arbitrary code on systems running affected Babel versions, potentially leading to complete system compromise. The vulnerability's scope extends beyond just the core Babel packages, as third-party plugins that depend on the affected modules may also be vulnerable, creating a broader attack surface. According to CWE-94, this vulnerability maps to the Common Weakness Enumeration for "Improper Control of Generation of Code ('Code Injection')" which is a well-established class of security flaws that can lead to arbitrary code execution.

Mitigation strategies for this vulnerability involve immediate upgrading of affected packages to their patched versions as specified in the advisory. Organizations should prioritize updating `babel/traverse` to version 7.23.2 or 8.0.0-alpha.4, along with the specific affected plugins mentioned in the advisory including `babel/plugin-transform-runtime` v7.23.2, `babel/preset-env` v7.23.2, and the various polyfill provider plugins. For those unable to immediately upgrade the core `babel/traverse` module, upgrading the affected dependent packages remains crucial to avoid triggering the vulnerable code paths. Security practitioners should also implement monitoring and code review processes to identify any potential usage of the affected evaluation methods in custom plugins or build processes. This vulnerability aligns with ATT&CK technique T1059.006 for "Command and Scripting Interpreter: JavaScript", as it enables attackers to execute malicious JavaScript code through the compilation process, potentially bypassing traditional security controls that might not inspect the compilation phase of code processing pipelines.

Responsible

GitHub, Inc.

Reservation

10/04/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00520

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!