Babel Regular Expression Named Capturing Groups ReDoS Vulnerability

A regular expression denial-of-service (ReDoS) vulnerability has been identified in Babel, a JavaScript compiler. This issue affects Babel versions prior to 7.26.10 and 8.0.0-alpha.17. The vulnerability arises when Babel compiles regular expression named capturing groups and generates a polyfill for the `.replace` method. This polyfill can introduce quadratic complexity, leading to high CPU usage and potential application freezing. The vulnerability is exploitable if untrusted strings are used as the second argument of the `.replace` method on regular expressions with named capturing groups.

Impact

Exploitation of this vulnerability can cause significant performance degradation, high CPU usage, and application unresponsiveness.

Reproduction

To reproduce this vulnerability, use Babel to compile regular expression named capturing groups. Then, apply the `.replace` method on a regular expression that includes named capturing groups, using an untrusted string as the second argument. This will trigger the vulnerable polyfill, resulting in increased execution time and potential application denial-of-service.

Remediation

Users should upgrade to Babel versions 7.26.10 or 8.0.0-alpha.17. After updating, it is essential to recompile the code to apply the changes.