CVE-2026-44728
Babel Compiler Code Execution Vulnerability
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| babel | babel | to 7.29.4 (exc) |
| babel | babel | 8.0.0-alpha.13 |
| babel | plugin-transform-modules-systemjs | From 7.12.0 (inc) to 7.29.4 (exc) |
| babel | plugin-transform-modules-systemjs | From 8.0.0-alpha.0 (inc) to 8.0.0-alpha.13 (exc) |
| babel | preset-env | 7.29.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44728 is a vulnerability in the @babel/plugin-transform-modules-systemjs npm package, affecting versions 7.12.0 through 7.29.3 and 8.0.0-alpha.0 through 8.0.0-alpha.12.
The issue allows attackers to craft malicious code that, when compiled with Babel using the "systemjs" module option, causes Babel to generate output code that executes arbitrary code.
This vulnerability specifically impacts @babel/plugin-transform-modules-systemjs and @babel/preset-env when the "systemjs" module option is used, as the latter relies on the former plugin.
Users compiling only trusted code are not affected. The flaw involves code injection (CWE-94) and type confusion (CWE-843).
How can this vulnerability impact me? :
This vulnerability can lead to the execution of arbitrary code generated by Babel when compiling attacker-crafted code.
The potential impacts include compromise of confidentiality, integrity, and availability of the affected system.
Because the vulnerability has a high severity score of 8.2 (CVSS v3), it poses a significant risk if exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects specific versions of the @babel/plugin-transform-modules-systemjs and @babel/preset-env packages when using the "systemjs" module option. Detection involves identifying if your project uses these packages in vulnerable versions.
You can check the installed versions of these packages in your project by running the following commands in your project directory:
- npm list @babel/plugin-transform-modules-systemjs
- npm list @babel/preset-env
If the versions fall within 7.12.0 through 7.29.3 for @babel/plugin-transform-modules-systemjs or before 7.29.5 for @babel/preset-env, your system is vulnerable.
Additionally, review your Babel configuration files (e.g., babel.config.js or .babelrc) to check if the "systemjs" module option is enabled, as the vulnerability is triggered when compiling code with this option.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the affected packages to patched versions:
- Upgrade @babel/plugin-transform-modules-systemjs to version 7.29.4 or later.
- Upgrade @babel/preset-env to version 7.29.5 or later.
If upgrading is not immediately possible, consider the following workarounds:
- Pin @babel/parser to version 7.11.5.
- Avoid using the "systemjs" module option in your Babel configuration.
Also, ensure that you only compile trusted code, as the vulnerability is exploited by specially crafted malicious code.