CVE-2025-27789: 
JavaScript vulnerability analysis and mitigation

Babel, a compiler for writing next generation JavaScript, disclosed a vulnerability (CVE-2025-27789) on March 11, 2025. The vulnerability affects versions of Babel prior to 7.26.10 and 8.0.0-alpha.17, specifically in the compilation of regular expression named capturing groups. The issue involves the generation of a polyfill for the .replace method that exhibits quadratic complexity on certain replacement pattern strings (GitHub Advisory).

The vulnerability occurs when Babel generates code for regular expression named capturing groups. The issue specifically manifests in the .replace method polyfill, which demonstrates quadratic complexity when processing specific replacement pattern strings. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (Medium) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on availability (GitHub Advisory).

The vulnerability can lead to excessive CPU usage and potential denial of service when processing certain input patterns. The impact is particularly significant when the code processes untrusted strings as the second argument of .replace. The vulnerability affects applications that use Babel to compile regular expression named capturing groups and utilize the .replace method on regular expressions containing named capturing groups (GitHub Advisory).

The vulnerability has been fixed in @babel/helpers and @babel/runtime versions 7.26.10 and 8.0.0-alpha.17. While upgrading to @babel/core 7.26.10 is not mandatory, it ensures the use of a patched @babel/helpers version. It's important to note that updating Babel dependencies alone is insufficient; the code must be recompiled after the update. As a workaround, users can validate input strings to ensure they don't contain the substring $< when it's not followed by > (GitHub Advisory).