Wiz
Vulnerability DatabaseCVE-2023-45133

CVE-2023-45133
JavaScript vulnerability analysis and mitigation

Overview

CVE-2023-45133 affects Babel, a popular JavaScript compiler. The vulnerability was discovered in @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse. The issue allows attackers to execute arbitrary code during compilation when using specific plugins that rely on the path.evaluate() or path.evaluateTruthy() internal Babel methods (GitHub Advisory).

Technical details

The vulnerability exists in Babel's code evaluation mechanism when using certain plugins. The affected components include @babel/plugin-transform-runtime, @babel/preset-env (when using its useBuiltIns option), and any polyfill provider plugin that depends on @babel/helper-define-polyfill-provider. The vulnerability has received a CVSS v3.1 base score of 9.3 (Critical) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (GitHub Advisory, NVD).

Impact

When exploited, this vulnerability can lead to arbitrary code execution during the compilation process when using Babel to compile specifically crafted malicious code. The impact is particularly severe for systems that compile untrusted code, while users that only compile trusted code are not affected (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in @babel/traverse version 7.23.2 and 8.0.0-alpha.4. Users are advised to upgrade @babel/traverse to v7.23.2 or higher. For those unable to upgrade @babel/traverse immediately, updating to the latest versions of affected packages is recommended: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, and babel-plugin-polyfill-regenerator v0.5.3 (GitHub Advisory).

Community reactions

The vulnerability has received attention from major Linux distributions, with Debian releasing security updates for both stable and oldstable distributions. Debian has issued DSA-5528-1 and DLA-3618-1 to address this vulnerability in their node-babel7 and node-babel packages respectively (Debian Security, Debian LTS).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-59159CRITICAL9.6
  • JavaScriptJavaScript
  • sillytavern
NoYesOct 06, 2025
CVE-2025-11362HIGH8.7
  • JavaScriptJavaScript
  • pdfmake
NoYesOct 07, 2025
CVE-2025-59536HIGH8.7
  • JavaScriptJavaScript
  • @anthropic-ai/claude-code
NoYesOct 03, 2025
GHSA-mm7p-fcc7-pg87MEDIUM5.5
  • JavaScriptJavaScript
  • nodemailer
NoYesOct 07, 2025
CVE-2025-59829LOW2.3
  • JavaScriptJavaScript
  • @anthropic-ai/claude-code
NoYesOct 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo