← Back
2026-06-22 16:7CVE-2026-49356GitHub_M
PUBLISHED5.2CWE-22CWE-200

Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.

Problem type

Affected products

babel

babel

>= 8.0.0-alpha.0, < 8.0.0-rc.5 - AFFECTED

< 7.29.6 - AFFECTED

References

https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8

https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-4x5r-pxfx-6jf8

@babel/core: Arbitrary File Read via sourceMappingURL Comment

https://github.com/advisories/GHSA-4x5r-pxfx-6jf8

Impact

Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true:

  • the attacker controls the input source code
  • the attacker can read the output source code
  • the attacker knows the path of the source map file that they want to read

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/core@7.29.6 and @babel/core@8.0.0-rc.6.

Workarounds

Callers can mitigate the issue without upgrading by setting inputSourceMap: false in their Babel options.

Callers can also manually extract the #sourceMappingURL comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to inputSourceMap (passing false when it's not).

Credits

Thanks Teodor-Cristian Radoi for reporting the vulnerability.

github.com

https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8

babeljs.io

https://babeljs.io/docs/options#inputsourcemap

github.com

https://github.com/advisories/GHSA-4x5r-pxfx-6jf8

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-49356
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-49356",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T17:23:03.327Z",
    "dateReserved": "2026-05-29T14:35:45.904Z",
    "datePublished": "2026-06-22T16:07:01.764Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T16:07:01.764Z"
      },
      "title": "Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core",
      "descriptions": [
        {
          "lang": "en",
          "value": "Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6."
        }
      ],
      "affected": [
        {
          "vendor": "babel",
          "product": "babel",
          "versions": [
            {
              "version": ">= 8.0.0-alpha.0, < 8.0.0-rc.5",
              "status": "affected"
            },
            {
              "version": "< 7.29.6",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
              "cweId": "CWE-22",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "cweId": "CWE-200",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8",
          "name": "https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "attackVector": "LOCAL",
            "attackComplexity": "HIGH",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.2,
            "baseSeverity": "LOW"
          }
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-06-22T17:23:03.327Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}