GHSA-4x5r-pxfx-6jf8
@babel/core: Arbitrary File Read via sourceMappingURL Comment
Details
## Impact
Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read
**Users that only compile trusted code are not impacted.**
## Patches
The vulnerability has been fixed in `@babel/core@7.29.6` and `@babel/core@8.0.0-rc.6`.
## Workarounds
Callers can mitigate the issue without upgrading by setting [`inputSourceMap: false`](https://babeljs.io/docs/options#inputsourcemap) in their Babel options.
Callers can also manually extract the `#sourceMappingURL` comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to `inputSourceMap` (passing `false` when it's not).
## Credits
Thanks Teodor-Cristian Radoi for reporting the vulnerability.
Are you affected?
Enter the version of the package you're using.
Affected packages
8.0.0-alpha.0 Fixed in: 8.0.0-rc.6 npm install @babel/core@8.0.0-rc.6