The vulnerability lies in the handling of a sourceMappingURL comment by @babel/core. Injecting a specially crafted comment allows a code consumer who controls the input source text to trigger Babel to read any source map file that is present on the host system, provided the path of the desired file is known. This results in an information‑exposure flaw, potentially revealing source map contents that may contain source code or configuration data. The weaknesses underlying the issue correspond to information exposure (CWE-200) and path traversal (CWE-22), and the impact is limited to reading the contents of arbitrary files on the system.

Vendors and products affected are Babel’s @babel/core compiler. All versions prior to 8.0.0-rc.6 and 7.29.6 are vulnerable; the problem is fixed in 8.0.0-rc.6 and 7.29.6 and later releases.

The CVSS score of 3.2 indicates a low severity assessment; no EPSS score is provided, and the vulnerability is not listed in CISA KEV. The exploit requires that an attacker can supply input source code that is processed by a running instance of Babel, which is typically a local or trusted‑code scenario. Based on the description, it is inferred that an attacker without network access would need to obtain execution privileges on the host executing Babel to supply malicious code. The low CVSS score reflects that the primary consequence is confidential data exposure via file reads, rather than code execution or denial of service.