GHSA-fv7c-fp4j-7gwp

Suggest an improvement
Source
https://github.com/advisories/GHSA-fv7c-fp4j-7gwp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fv7c-fp4j-7gwp/GHSA-fv7c-fp4j-7gwp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fv7c-fp4j-7gwp
Aliases
  • CVE-2026-44728
Downstream
Related
Published
2026-05-08T20:34:07Z
Modified
2026-05-10T04:44:29.864755708Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
Details

Impact

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Known affected plugins are: - @babel/plugin-transform-modules-systemjs - @babel/preset-env when using the modules: "systemjs" option, as it delegates to @babel/plugin-transform-modules-systemjs

No other plugins under the @babel namespace are impacted.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/plugin-transform-modules-systemjs@7.29.4.

Babel also released @babel/preset-env@7.29.5, updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.

Workarounds

  • Pin @babel/parser to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade @babel/plugin-transform-modules-systemjs to v7.29.4.
  • Do not use the modules: "systemjs" option, migrate the codebase to native ES Modules or any other module formats.

Credits

Babel thanks Daniel Cervera for reporting the vulnerability.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-08T20:34:07Z",
    "cwe_ids": [
        "CWE-94",
        "CWE-843"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / @babel/plugin-transform-modules-systemjs

Package

Name
@babel/plugin-transform-modules-systemjs
View open source insights on deps.dev
Purl
pkg:npm/%40babel/plugin-transform-modules-systemjs

Affected ranges

Type
SEMVER
Events
Introduced
7.12.0
Fixed
7.29.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fv7c-fp4j-7gwp/GHSA-fv7c-fp4j-7gwp.json"
last_known_affected_version_range 
"<= 7.29.3"

npm / @babel/plugin-transform-modules-systemjs

Package

Name
@babel/plugin-transform-modules-systemjs
View open source insights on deps.dev
Purl
pkg:npm/%40babel/plugin-transform-modules-systemjs

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0-alpha.0
Fixed
8.0.0-alpha.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fv7c-fp4j-7gwp/GHSA-fv7c-fp4j-7gwp.json"
last_known_affected_version_range 
"<= 8.0.0-alpha.12"