CVE-2026-49356 - Low Severity Vulnerability
Vulnerable Library - core-7.11.4.tgz
Babel compiler core.
Library home page: https://registry.npmjs.org/@babel/core/-/core-7.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/core/package.json
Dependency Hierarchy:
- nuxt-2.14.3.tgz (Root Library)
- webpack-2.14.3.tgz
- ❌ core-7.11.4.tgz (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Vulnerability Details
Impact Using "@babel/core" to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/core@7.29.6" and "@babel/core@8.0.0-rc.6". Workarounds Callers can mitigate the issue without upgrading by setting ""inputSourceMap: false"" (https://babeljs.io/docs/options#inputsourcemap) in their Babel options. Callers can also manually extract the "#sourceMappingURL" comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to "inputSourceMap" (passing "false" when it's not). Credits Thanks Teodor-Cristian Radoi for reporting the vulnerability.
Publish Date: 2026-06-15
URL: CVE-2026-49356
CVSS 3 Score Details (3.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/babel/babel.git - 7.29.6,https://github.com/babel/babel.git - 8.0.0-rc.6
Step up your Open Source Security Game with Mend here
CVE-2026-49356 - Low Severity Vulnerability
Babel compiler core.
Library home page: https://registry.npmjs.org/@babel/core/-/core-7.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/core/package.json
Dependency Hierarchy:
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Impact Using "@babel/core" to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/core@7.29.6" and "@babel/core@8.0.0-rc.6". Workarounds Callers can mitigate the issue without upgrading by setting ""inputSourceMap: false"" (https://babeljs.io/docs/options#inputsourcemap) in their Babel options. Callers can also manually extract the "#sourceMappingURL" comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to "inputSourceMap" (passing "false" when it's not). Credits Thanks Teodor-Cristian Radoi for reporting the vulnerability.
Publish Date: 2026-06-15
URL: CVE-2026-49356
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/babel/babel.git - 7.29.6,https://github.com/babel/babel.git - 8.0.0-rc.6
Step up your Open Source Security Game with Mend here