Babel SystemJS Module Transformation Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in Babel versions 7.12.0 prior to 7.29.4 and 8.0.0-alpha.0 through 8.0.0-alpha.12. When using Babel to compile code crafted by an attacker, it can generate output that executes arbitrary code. This issue arises in the '@babel/plugin-transform-modules-systemjs' plugin and in '@babel/preset-env' when the 'modules: "systemjs"' option is used, as it relies on the 'plugin-transform-modules-systemjs' plugin. The vulnerability is not a concern for users who only compile trusted code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context where the Babel-compiled code is executed.

Remediation

The vulnerability has been fixed in '@babel/plugin-transform-modules-systemjs' version 7.29.4. Users of '@babel/preset-env' can update to version 7.29.5, which includes the patched 'plugin-transform-modules-systemjs' dependency. If a direct update is not possible, '@babel/parser' can be pinned to version 7.11.5, although this may disable some new language features and could cause build pipeline failures. Alternatively, the 'modules: "systemjs"' option can be avoided by migrating to native ES Modules or other module formats.