Regular Expression Vulnerability in Babel Compiler Affecting JavaScript Applications
CVE-2025-27789

6.2MEDIUM

Key Information:

Vendor: Babel
Status: Babel
Vendor: CVE Published:; 11 March 2025

What is CVE-2025-27789?

A vulnerability has been identified in the Babel Compiler that affects the handling of regular expression named capturing groups. In specific versions of Babel prior to 7.26.10 and 8.0.0-alpha.17, when compiled regular expressions utilize the .replace method with named capturing groups, the compiler generates polyfills that can exhibit quadratic complexity with certain replacement patterns. This poses a risk when untrusted strings are used as arguments, allowing for potential code execution vulnerabilities. It is essential for users to upgrade to updated versions of @babel/helpers and @babel/runtime to mitigate this issue. Users must also re-compile their code after updating to ensure the security of their applications.

Affected Version(s)

babel < 7.26.10 < 7.26.10

babel >= 8.0.0-alpha.0, < 8.0.0-alpha.17 < 8.0.0-alpha.0, 8.0.0-alpha.17

References

https://github.com/babel/babel/security/advisories/GHSA-9...

x_refsource_CONFIRM

https://github.com/babel/babel/pull/17173

x_refsource_MISC

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Mar 6, 2025

CVE-2025-27789 Data

JSON