Babel is a JavaScript compiler that transpiles modern source code into browser‑compatible JavaScript. The vulnerability exists in the @babel/plugin-transform-modules-systemjs plugin; from Babel version 7.12.0 up to (but excluding) 7.29.4 and version 8.0.0‑alpha.13, the plugin does not adequately sanitize specially crafted input. Consequently, malicious source code can force Babel to emit arbitrary code in the compiled output. The flaw is rooted in improper control of code generation (CWE‑843) and a failure to reject unsafe payloads (CWE‑94). An attacker who supplies malicious source – for example, through a compromised npm package – can cause the resulting bundle to execute unintended code in any environment that runs the transpiled script.

The fault affects the @babel:plugin-transform-modules-systemjs plugin used by the Babel compiler. All Babel distributions – whether the main babel package or the plugin itself – that run the affected plugin versions are impacted. Specifically, any installation of @babel/plugin-transform-modules-systemjs from version 7.12.0 through 7.29.3 (inclusive), and any pre‑release 8.0.0‑alpha.13 builds, is vulnerable. Upgrade to 7.29.4 or later, or to 8.0.0‑alpha.13 or later, eliminates the risk.

The CVSS score of 8.2 rates the issue as high severity, and the attack requires only the ability to influence the source code that is passed to the transpiler, which is often trivial for build pipelines that incorporate external packages. While the EPSS score is not available, the absence of a KEV listing indicates no confirmed exploits yet. However, the potential for arbitrary code execution and the breadth of affected versions make the vulnerability a serious threat, especially in open‑source or continuous‑integration environments where source may originate from untrusted origins. An attacker can therefore compromise the runtime of any application that consumes the compromised transpiled output.