{ "schema_version": "1.4.0", "id": "GHSA-968p-4wvh-cqc8", "modified": "2025-04-16T15:39:50Z", "published": "2025-03-11T20:30:18Z", "aliases": [ "CVE-2025-27789" ], "summary": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups", "details": "### Impact\n\nWhen using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).\n\nYour generated code is vulnerable if _all_ the following conditions are true:\n- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)\n- You use the `.replace` method on a regular expression that contains named capturing groups\n- **Your code uses untrusted strings as the second argument of `.replace`**\n\nIf you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:\n- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23\n- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10\n\nYou can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).\n\n\n### Patches\n\nThis problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.\n\nPlease note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.\n\n### Workarounds\n\nIf you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$<` if it's then not followed by `>` (possibly with other characters in between).\n\n### References\n\nThis vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "@babel/helpers" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ] }, { "package": { "ecosystem": "npm", "name": "@babel/runtime" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ] }, { "package": { "ecosystem": "npm", "name": "@babel/runtime-corejs2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ] }, { "package": { "ecosystem": "npm", "name": "@babel/runtime-corejs3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ] }, { "package": { "ecosystem": "npm", "name": "@babel/helpers" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "< 8.0.0-alpha.16" } }, { "package": { "ecosystem": "npm", "name": "@babel/runtime" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "< 8.0.0-alpha.16" } }, { "package": { "ecosystem": "npm", "name": "@babel/runtime-corejs2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "< 8.0.0-alpha.16" } }, { "package": { "ecosystem": "npm", "name": "@babel/runtime-corejs3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "< 8.0.0-alpha.16" } } ], "references": [ { "type": "WEB", "url": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27789" }, { "type": "WEB", "url": "https://github.com/babel/babel/pull/17173" }, { "type": "WEB", "url": "https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4" }, { "type": "PACKAGE", "url": "https://github.com/babel/babel" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-11T20:30:18Z", "nvd_published_at": "2025-03-11T20:15:18Z" } }