CVE-2026-49356 in Babel
Summary
by MITRE • 06/22/2026
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/22/2026
The vulnerability in Babel's @babel/core module represents a critical arbitrary file read flaw that stems from improper handling of sourceMappingURL comments during JavaScript compilation processes. This weakness allows attackers to exploit the source map processing functionality to access sensitive files on the system where Babel is executing, creating a significant security risk for development environments and build systems that rely on this popular JavaScript compiler. The vulnerability specifically affects versions prior to 8.0.0-rc.6 and 7.29.6, indicating that the issue was present in widely used release branches of the library.
The technical flaw manifests when maliciously crafted source code containing specially formatted sourceMappingURL comments is processed by @babel/core. During the compilation workflow, Babel attempts to resolve and read source map files referenced in these comments, but fails to properly validate or sanitize the file paths specified in the comments. This allows an attacker who controls the input source code to manipulate the source map resolution process and potentially access any source map file that exists on the system running the Babel compiler. The vulnerability requires specific conditions including control over the input source code, ability to read the output compilation results, and knowledge of the target file paths to be exploited effectively.
From an operational impact perspective, this vulnerability creates serious security implications for development environments, continuous integration pipelines, and build systems that utilize Babel for JavaScript compilation. Attackers could potentially access sensitive source map files that might contain internal path structures, development credentials, or other information that could aid in further exploitation attempts. The vulnerability aligns with CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, which specifically addresses the issue of insufficient validation of file paths and the potential for directory traversal attacks. This weakness enables attackers to bypass normal file access controls and read files that should remain protected.
The attack vector is particularly concerning in automated build environments where Babel processes code from untrusted sources or where developers might not properly validate input before compilation. The exploitation requires minimal privileges beyond those normally available to a compiler process, making it accessible to attackers who can influence the compilation workflow. This vulnerability also maps to ATT&CK technique T1587.001 - Developer Application Proxy Execution, as it leverages legitimate compilation tools to achieve unauthorized file access. Organizations using Babel in their development workflows should consider this vulnerability as part of their broader security posture assessment, particularly when dealing with untrusted code inputs or when implementing automated compilation processes.
The mitigation strategy involves upgrading to the patched versions 8.0.0-rc.6 and 7.29.6 where the source map path validation has been properly implemented. Additionally, organizations should implement proper input sanitization measures for any code that will be processed through Babel, particularly in environments where untrusted inputs are common. Security monitoring should include detection of suspicious sourceMappingURL patterns in compiled outputs, and the principle of least privilege should be applied to Babel execution environments to limit potential damage from successful exploitation attempts.