CVE-2023-45133
Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
We grep the entire repo to see if there is any code that uses the babel/traverse, and found only package-lock.json contains the dependencies, there is no place for it in the./src code.
Could anyone confirm whether the presence of babel/traverse would still expose our project to this vulnerability? If so, what steps would be recommended to mitigate this risk?
CVE-2023-45133 Babel is a compiler for writingJavaScript. In
@babel/traverseprior to versions 7.23.2 and 8.0.0-alpha.4 and all versions ofbabel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on thepath.evaluate()orpath.evaluateTruthy()internal Babel methods.We grep the entire repo to see if there is any code that uses the babel/traverse, and found only package-lock.json contains the dependencies, there is no place for it in the./src code.
Could anyone confirm whether the presence of babel/traverse would still expose our project to this vulnerability? If so, what steps would be recommended to mitigate this risk?