Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44728

CVE-2026-44728: Babel Babel RCE Vulnerability

CVE-2026-44728 is a remote code execution vulnerability in Babel that allows attackers to execute arbitrary code through specially crafted input. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-44728 Overview

CVE-2026-44728 is a code injection vulnerability ([CWE-94]) in Babel, the widely used JavaScript compiler. The flaw affects Babel versions 7.12.0 through versions prior to 7.29.4, as well as 8.0.0-alpha.13. When Babel compiles attacker-crafted source code, the compiler emits output that executes arbitrary code at runtime. The vulnerability shifts trust from runtime to build time, turning the compilation step itself into an attack surface. Maintainers fixed the issue in Babel 7.29.4 and 8.0.0-alpha.13.

Critical Impact

Compiling untrusted JavaScript with a vulnerable Babel version can produce malicious output that executes arbitrary code in any environment running the compiled bundle.

Affected Products

  • Babel 7.12.0 through versions before 7.29.4
  • Babel 8.0.0-alpha.0 through 8.0.0-alpha.12
  • Build pipelines and applications that compile untrusted JavaScript with affected Babel versions

Discovery Timeline

  • 2026-05-26 - CVE-2026-44728 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44728

Vulnerability Analysis

Babel transforms modern JavaScript syntax into backward-compatible code. The vulnerability lies in how Babel handles certain crafted input during code generation. An attacker who controls the source code passed to Babel can structure that input so the compiler emits JavaScript that, when later executed, runs arbitrary attacker-controlled logic.

This is significant because developers typically treat compiler output as trusted artifacts. Build systems, continuous integration pipelines, and serverless platforms frequently pass third-party or user-submitted code through Babel without sandboxing the resulting bundle. The vulnerability requires user interaction, meaning a developer or automated pipeline must invoke Babel against the malicious input.

Root Cause

The root cause is improper handling of attacker-controlled syntactic constructs during transformation. Babel generates output that does not preserve the semantic boundaries of the input, allowing crafted code patterns to produce executable payloads in the compiled result. The Babel maintainers categorize the issue under improper control of code generation ([CWE-94]). See the Babel GitHub Security Advisory GHSA-fv7c-fp4j-7gwp for technical specifics.

Attack Vector

Exploitation requires that a victim compile attacker-supplied JavaScript. Realistic delivery paths include malicious npm packages consumed as dependencies, pull requests submitted to open-source projects, online code playgrounds that compile user input, and Software-as-a-Service platforms that run customer-supplied transforms. Once compiled, the output executes wherever the bundle runs, including Node.js servers, browsers, and edge runtimes. The vulnerability is described in prose only; consult the vendor advisory for technical details.

Detection Methods for CVE-2026-44728

Indicators of Compromise

  • Presence of @babel/core, @babel/parser, or related Babel packages at versions between 7.12.0 and 7.29.3, or any 8.0.0-alpha release before alpha.13 in package-lock.json or yarn.lock
  • Unexpected runtime behavior, outbound network connections, or filesystem activity originating from compiled JavaScript bundles
  • Build pipelines that ingest third-party or user-submitted JavaScript without isolation

Detection Strategies

  • Run npm ls @babel/core @babel/parser @babel/generator across repositories to enumerate Babel versions in use
  • Use Software Composition Analysis (SCA) tooling to flag affected version ranges in direct and transitive dependencies
  • Audit CI/CD logs for Babel invocations against externally sourced code and review the generated artifacts

Monitoring Recommendations

  • Monitor build agents for anomalous child processes spawned during or after Babel transformation steps
  • Alert on outbound connections initiated by Node.js processes running compiled output in production
  • Track integrity of build artifacts with cryptographic hashing and compare against expected baselines

How to Mitigate CVE-2026-44728

Immediate Actions Required

  • Upgrade Babel to 7.29.4 or 8.0.0-alpha.13 across all projects and build pipelines
  • Re-run all builds that compiled untrusted or third-party JavaScript with vulnerable versions and inspect generated bundles
  • Treat any artifact produced by an affected Babel version against untrusted input as potentially compromised until reviewed

Patch Information

The Babel maintainers released fixes in versions 7.29.4 and 8.0.0-alpha.13. Both updates correct the code generation behavior that allowed crafted input to produce executable output. Refer to the Babel GitHub Security Advisory GHSA-fv7c-fp4j-7gwp for full remediation guidance and version metadata.

Workarounds

  • Avoid compiling untrusted JavaScript with Babel until upgraded versions are deployed
  • Isolate build steps that process third-party code in ephemeral, network-restricted containers
  • Pin Babel and related plugins to fixed versions in package.json and enforce lockfile integrity checks in CI
bash
# Upgrade Babel to the patched release
npm install --save-dev @babel/core@^7.29.4 @babel/cli@^7.29.4 @babel/preset-env@^7.29.4

# Verify installed versions
npm ls @babel/core @babel/parser @babel/generator @babel/traverse

# Audit for known advisories
npm audit --production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne