CVE-2023-45133: Critical security vulnerability in Babel, a popular JavaScript transpiler

JavaScript is a language in constant evolution, with new features, methodologies, and improvements being added regularly. While this is exciting for developers, it presents a challenge: ensuring backward compatibility for older browsers. Babel, the popular JavaScript transpiler, rises to meet this challenge, converting fresh JavaScript code into versions compatible with older browsers. The magic behind allowing the likes of Google, Facebook, and Netflix to wield the latest JavaScript capabilities while ensuring broad compatibility.

However, like all tools, even the mighty ones have their vulnerabilities. The recent discovery of CVE-2023-45133, with a CVSS score of 9.3, has sent ripples through the JavaScript community. This specific security loophole can potentially allow attackers to execute arbitrary code during the compilation process of specially crafted malicious code.

Babel’s strength rests in its plugins. Yet, this strength was also its point of weakness. The danger arises when using certain plugins that depend on Babel’s internal methods – `path.evaluate()` and `path.evaluateTruthy()`. The known affected plugins include:

• `@babel/plugin-transform-runtime`
• `@babel/preset-env` (when the `useBuiltIns` option is active)
• Any “polyfill provider” plugins reliant on `@babel/helper-define-polyfill-provider`, including but not limited to those under the corejs2, corejs3, es-shims, and regenerator banners.

Interestingly, users who only compile trusted code remain unaffected. Nevertheless, considering the expansive use of Babel, this vulnerability remains a significant concern.

Security researcher William Khem-Marquez has been credited for reporting the vulnerability.

Promptly addressing the CVE-2023-45133 vulnerability, the Babel team released a fix in `@babel/traverse@7.23.2`. If you’re still on Babel 6, it’s important to note that it no longer receives security updates.

If you’re keen on ensuring you’re protected:

1. Upgrade to `@babel/traverse v7.23.2` or a higher version. Simply remove it from your package manager’s lockfile and re-install the dependencies. A non-vulnerable version will be automatically included if you have `@babel/core >=7.23.2`.
2. If an upgrade isn’t immediate for you and you utilize the aforementioned affected packages, ensure you update them to their latest versions.
   • @babel/plugin-transform-runtime v7.23.2
   • @babel/preset-env v7.23.2
   • @babel/helper-define-polyfill-provider v0.4.3
   • babel-plugin-polyfill-corejs2 v0.4.6
   • babel-plugin-polyfill-corejs3 v0.8.5
   • babel-plugin-polyfill-es-shims v0.10.0
   • babel-plugin-polyfill-regenerator v0.5.3