The vulnerability of the path.evaluate() or path.evaluateTruthy() function in the compiler for writing Babel JavaScript code allows a malicious actor to execute arbitrary code.

🗓️ 04 Oct 2024 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 3 Views

Vulnerability in path.evaluate() and path.evaluateTruthy() allows arbitrary code execution due to improper comparison.

Reporter	Title	Published	Views	Family All 83
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Babel	29 Nov 202314:48	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270)	16 Nov 202321:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities	14 Feb 202418:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses traverse-7.20.13.tgz which is vulnerable to CVE-2023-45133	19 Feb 202411:03	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data	2 Jan 202418:01	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM includes components with known vulnerabilities	22 Jul 202515:48	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities	3 Jan 202413:16	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion HCI may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270)	21 Dec 202317:24	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities	15 Apr 202502:22	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Network Automation 2.6.4 fixes multiple security vulnerabilities	15 Dec 202314:31	–	ibm

Vulners

Node

babeljs babelRange<7.23.2

OR

babeljs babel_helper_define_polyfill_providerRange<0.4.3

OR

babeljs babel_plugin_polyfill_corejs_2Range<0.4.6

OR

babeljs babel_plugin_polyfill_corejs_3Range<0.8.5

OR

babeljs babel_plugin_polyfill_es_shimsRange<0.10.0

OR

babeljs babel_plugin_polyfill_regeneratorRange<0.5.3

OR

babeljs babel_plugin_transform_runtimeRange<7.23.2

OR

babeljs babel_preset_envRange<7.23.2

Source	Link
github	www.github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
github	www.github.com/babel/babel/releases/tag/v7.23.2
github	www.github.com/babel/babel/releases/tag/v8.0.0-alpha.4
github	www.github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
redos	www.redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-nodejs-babel-core-cve-2023-45133/
redos	www.redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-nodejs-babel-core-cve-2023-45133/
security-tracker	www.security-tracker.debian.org/tracker/CVE-2023-45133
vuldb	www.vuldb.com/ru/
xn--80ahaefyxhn	www.xn--80ahaefyxhn.xn--j1afgaq.xn--p1ai/bin/view/%D0%9E%D0%A1%D0%BD%D0%BE%D0%B2%D0%B0/%D0%9E%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F/2.9/
web	www.web.nvd.nist.gov/view/vuln/detail

01 Jul 2025 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 27.2

CVSS 38.8

EPSS0.0052

path evaluate evaluate truthy arbitrary code execution improper comparison babel