Fluid Attacks Database

Description

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@babel/plugin-transform-modules-systemjs	>=7.12.0 <7.29.4 \|\| >=8.0.0-alpha.0 <8.0.0-alpha.13	7.29.4, 8.0.0-alpha.13
debian 11	node-babel7	=7.12.12+~cs150.141.84-6 \|\| =7.12.12+~cs150.141.84-6+deb11u1 \|\| =7.12.12+~cs150.141.84-7 \|\| =7.12.12+~cs150.141.84-8 \|\| =7.16.10+~cs214.260.188-1 \|\| =7.16.12+~cs214.260.189-1 \|\| =7.16.12+~cs214.260.189-2 \|\| =7.16.6+ds1+~cs214.259.181-1 \|\| =7.16.6+ds1+~cs214.259.181-2 \|\| =7.16.6+ds1+~cs214.259.181-3 \|\| =7.16.6+ds1+~cs214.259.181-4 \|\| =7.16.6+ds1+~cs214.259.181-5 \|\| =7.16.6+~cs215.259.185-1 \|\| =7.16.6+~cs215.259.185-2 \|\| =7.16.7+~cs214.260.184-1 \|\| =7.16.9+~cs214.260.184-1 \|\| =7.17.11+~cs214.263.190-1 \|\| =7.17.11+~cs214.263.190-2 \|\| =7.17.2+~cs214.260.190-1 \|\| =7.17.4+~cs214.260.190-1 \|\| =7.17.4+~cs214.260.190-2 \|\| =7.17.5+~cs214.260.190-1 \|\| =7.17.6+~cs214.260.190-1 \|\| =7.17.7+~cs214.260.190-1 \|\| =7.17.8+~cs214.260.191-1 \|\| =7.17.8+~cs214.260.191-2 \|\| =7.17.9+~cs214.260.191-1 \|\| =7.17.9+~cs214.260.191-2 \|\| =7.18.12+~cs214.250.184-1 \|\| =7.18.13+~cs214.250.184-1 \|\| =7.18.13+~cs214.250.184-2 \|\| =7.18.13+~cs214.250.184-3 \|\| =7.18.4+~cs214.249.185-1 \|\| =7.18.4+~cs214.249.185-2 \|\| =7.18.5+~cs214.249.185-1 \|\| =7.18.6+~cs214.249.185-1 \|\| =7.18.7+~cs214.249.185-1 \|\| =7.18.8+~cs214.249.185-1 \|\| =7.18.9+~cs214.249.185-1 \|\| =7.19.0+~cs214.250.185-1 \|\| =7.19.2+ds1+~cs214.250.186-1 \|\| =7.19.2+ds1+~cs214.250.186-2 \|\| =7.19.2+~cs214.250.185-1 \|\| =7.19.2+~cs214.250.185-2 \|\| =7.19.3+ds1+~cs214.250.186-1 \|\| =7.19.3+ds1+~cs214.250.186-2 \|\| =7.19.3+ds1+~cs214.250.186-3 \|\| =7.19.5+ds1+~cs214.250.186-1 \|\| =7.19.6+ds1+~cs214.250.186-1 \|\| =7.20.0+ds1+~cs214.250.186-1 \|\| =7.20.1+ds1+~cs214.250.186-1 \|\| =7.20.1+ds1+~cs214.250.186-2 \|\| =7.20.11+ds1+~cs214.250.188-1 \|\| =7.20.12+ds1+~cs214.250.188-1 \|\| =7.20.14+ds1+~cs214.269.168-1 \|\| =7.20.15+ds1+~cs214.269.168-1 \|\| =7.20.15+ds1+~cs214.269.168-10 \|\| =7.20.15+ds1+~cs214.269.168-11 \|\| =7.20.15+ds1+~cs214.269.168-12 \|\| =7.20.15+ds1+~cs214.269.168-13 \|\| =7.20.15+ds1+~cs214.269.168-14 \|\| =7.20.15+ds1+~cs214.269.168-15 \|\| =7.20.15+ds1+~cs214.269.168-16 \|\| =7.20.15+ds1+~cs214.269.168-17 \|\| =7.20.15+ds1+~cs214.269.168-2 \|\| =7.20.15+ds1+~cs214.269.168-3 \|\| =7.20.15+ds1+~cs214.269.168-4 \|\| =7.20.15+ds1+~cs214.269.168-5 \|\| =7.20.15+ds1+~cs214.269.168-6 \|\| =7.20.15+ds1+~cs214.269.168-7 \|\| =7.20.15+ds1+~cs214.269.168-8 \|\| =7.20.15+ds1+~cs214.269.168-9 \|\| =7.20.4+ds1+~cs214.250.187-1 \|\| =7.20.6+ds1+~cs214.250.188-1	-
debian 12	node-babel7	=7.20.15+ds1+~cs214.269.168-10 \|\| =7.20.15+ds1+~cs214.269.168-11 \|\| =7.20.15+ds1+~cs214.269.168-12 \|\| =7.20.15+ds1+~cs214.269.168-13 \|\| =7.20.15+ds1+~cs214.269.168-14 \|\| =7.20.15+ds1+~cs214.269.168-15 \|\| =7.20.15+ds1+~cs214.269.168-16 \|\| =7.20.15+ds1+~cs214.269.168-17 \|\| =7.20.15+ds1+~cs214.269.168-3 \|\| =7.20.15+ds1+~cs214.269.168-3+deb12u1 \|\| =7.20.15+ds1+~cs214.269.168-3+deb12u2 \|\| =7.20.15+ds1+~cs214.269.168-4 \|\| =7.20.15+ds1+~cs214.269.168-5 \|\| =7.20.15+ds1+~cs214.269.168-6 \|\| =7.20.15+ds1+~cs214.269.168-7 \|\| =7.20.15+ds1+~cs214.269.168-8 \|\| =7.20.15+ds1+~cs214.269.168-9	-
debian 13	node-babel7	=7.20.15+ds1+~cs214.269.168-10 \|\| =7.20.15+ds1+~cs214.269.168-11 \|\| =7.20.15+ds1+~cs214.269.168-12 \|\| =7.20.15+ds1+~cs214.269.168-13 \|\| =7.20.15+ds1+~cs214.269.168-14 \|\| =7.20.15+ds1+~cs214.269.168-15 \|\| =7.20.15+ds1+~cs214.269.168-16 \|\| =7.20.15+ds1+~cs214.269.168-17 \|\| =7.20.15+ds1+~cs214.269.168-8 \|\| =7.20.15+ds1+~cs214.269.168-9	-
debian 14	node-babel7	=7.20.15+ds1+~cs214.269.168-10 \|\| =7.20.15+ds1+~cs214.269.168-11 \|\| =7.20.15+ds1+~cs214.269.168-12 \|\| =7.20.15+ds1+~cs214.269.168-13 \|\| =7.20.15+ds1+~cs214.269.168-14 \|\| =7.20.15+ds1+~cs214.269.168-15 \|\| =7.20.15+ds1+~cs214.269.168-16 \|\| =7.20.15+ds1+~cs214.269.168-17 \|\| =7.20.15+ds1+~cs214.269.168-8 \|\| =7.20.15+ds1+~cs214.269.168-9	-

Aliases

1. CVE-2026-447282. NVD-2026-447283. OSV-2026-447284. OSV-DEBIAN-2026-447285. GHSA-fv7c-fp4j-7gwp6. GCVE-2026-447287. SECURITY-TRACKER-CVE-2026-44728

References

1. https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.