[Pkg-javascript-devel] Bug#1140816: node-babel7: CVE-2026-49356

Salvatore Bonaccorso carnil at debian.org
Fri Jun 26 21:12:09 BST 2026


Source: node-babel7
Version: 7.20.15+ds1+~cs214.269.168-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for node-babel7.

CVE-2026-49356[0]:
| Babel is a compiler for writing next generation JavaScript. Prior to
| 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file
| read via a sourceMappingURL comment. Using @babel/core to compile
| maliciously crafted code can allow an attacker to read any source
| map from the system that is running Babel, if the attacker controls
| the input source code, can read the output source code, and knows
| the path of the source map file that they want to read. This
| vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49356
    https://www.cve.org/CVERecord?id=CVE-2026-49356
[1] https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-javascript-devel mailing list