CVE-2026-49356 - Low Severity Vulnerability
Vulnerable Library - core-7.29.0.tgz
Babel compiler core.
Library home page: https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz
Path to dependency file: /OPENAPI-REST-API/openapi-client/javascript/package.json
Path to vulnerable library: /OPENAPI-REST-API/openapi-client/javascript/node_modules/@babel/core/package.json,/OPENAPI-REST-API/swagger-client/javascript/node_modules/@babel/core/package.json
Dependency Hierarchy:
- cli-7.28.6.tgz (Root Library)
- ❌ core-7.29.0.tgz (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Impact Using "@babel/core" to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/core@7.29.6" and "@babel/core@8.0.0-rc.6". Workarounds Callers can mitigate the issue without upgrading by setting ""inputSourceMap: false"" (https://babeljs.io/docs/options#inputsourcemap) in their Babel options. Callers can also manually extract the "#sourceMappingURL" comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to "inputSourceMap" (passing "false" when it's not). Credits Thanks Teodor-Cristian Radoi for reporting the vulnerability.
Publish Date: 2026-06-15
URL: CVE-2026-49356
CVSS 3 Score Details (3.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4x5r-pxfx-6jf8
Release Date: 2026-06-15
Fix Resolution: @babel/core - 7.29.6,@babel/core - 8.0.0-rc.6
Step up your Open Source Security Game with Mend here
CVE-2026-49356 - Low Severity Vulnerability
Babel compiler core.
Library home page: https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz
Path to dependency file: /OPENAPI-REST-API/openapi-client/javascript/package.json
Path to vulnerable library: /OPENAPI-REST-API/openapi-client/javascript/node_modules/@babel/core/package.json,/OPENAPI-REST-API/swagger-client/javascript/node_modules/@babel/core/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Impact Using "@babel/core" to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read Users that only compile trusted code are not impacted. Patches The vulnerability has been fixed in "@babel/core@7.29.6" and "@babel/core@8.0.0-rc.6". Workarounds Callers can mitigate the issue without upgrading by setting ""inputSourceMap: false"" (https://babeljs.io/docs/options#inputsourcemap) in their Babel options. Callers can also manually extract the "#sourceMappingURL" comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to "inputSourceMap" (passing "false" when it's not). Credits Thanks Teodor-Cristian Radoi for reporting the vulnerability.
Publish Date: 2026-06-15
URL: CVE-2026-49356
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-4x5r-pxfx-6jf8
Release Date: 2026-06-15
Fix Resolution: @babel/core - 7.29.6,@babel/core - 8.0.0-rc.6
Step up your Open Source Security Game with Mend here