CVE-2026-49356
Received Received - Intake
Arbitrary File Read in Babel Compiler

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-49356
EUVD
EUVD-2026-38302
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
babel core to 8.0.0-rc.6|end_excluding=7.29.6 (exc)
babel core From 8.0.0-alpha.0|end_including=8.0.0-rc.5 (inc)
babel core 7.29.6
babel core 8.0.0-rc.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-49356 vulnerability affects the @babel/core package, a JavaScript compiler. It allows an attacker to read arbitrary source map files on the system running Babel if certain conditions are met.

This happens because of improper handling of the sourceMappingURL comment in the source code, which enables path traversal and exposure of sensitive information.

Specifically, if an attacker controls the input source code, can read the output source code, and knows the path of the source map file they want to access, they can exploit this vulnerability to read any source map file on the system.

The vulnerability affects versions from 8.0.0-alpha.0 to 8.0.0-rc.5 and versions up to 7.29.0, and has been fixed in versions 7.29.6 and 8.0.0-rc.6.

Impact Analysis

This vulnerability can impact you by allowing an attacker to read sensitive source map files on your system running Babel.

Source maps often contain detailed information about the original source code, which can include proprietary or sensitive logic.

If an attacker can read these files, they might gain insights into your application's inner workings, potentially aiding further attacks or intellectual property theft.

However, exploitation requires the attacker to control the input source code, be able to read the output source code, and know the path of the source map file, which limits the risk.

Detection Guidance

Detection of this vulnerability involves identifying if your system is running a vulnerable version of @babel/core (versions from 8.0.0-alpha.0 to 8.0.0-rc.5 and up to 7.29.0) and if it processes source code containing sourceMappingURL comments that could be exploited.

You can check the installed version of @babel/core using the following command in your project directory:

  • npm list @babel/core

To detect potential exploitation attempts, monitor logs or inputs for source code containing suspicious or malicious sourceMappingURL comments that reference arbitrary or unexpected file paths.

Additionally, you can search your codebase or input files for sourceMappingURL comments using commands like:

  • grep -r "sourceMappingURL" ./

Network detection is limited since the vulnerability requires attacker-controlled input and knowledge of source map paths, so focus on input validation and code review.

Mitigation Strategies

Immediate mitigation steps include upgrading @babel/core to a patched version, specifically version 7.29.6 or 8.0.0-rc.6 or later.

If upgrading is not immediately possible, you can mitigate the vulnerability by setting the Babel option inputSourceMap to false, which disables processing of source maps and prevents exploitation via sourceMappingURL comments.

Another mitigation approach is to manually validate or sanitize the sourceMappingURL comments in the input source code before processing to ensure they do not contain malicious or unexpected paths.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49356. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart