CVE-2026-49356
LowCVSS 3.2Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read.
Risk Assessment
The risk involves the potential reading of sensitive source map files from the system, which could reveal application structure or other sensitive data.
Recommendation
Immediately update @babel/core to version 8.0.0-rc.6 or 7.29.6, which contain the fix for this vulnerability.
Original NVD description (English source)
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.

