Vulnerability-Lookup

CVE-2026-49356 (GCVE-0-2026-49356)

Vulnerability from cvelistv5 – Published: 2026-06-22 16:07 – Updated: 2026-06-22 17:23

Title

Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core

Summary

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.

Severity

3.2 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/babel/babel/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
babel	babel	Affected: >= 8.0.0-alpha.0, < 8.0.0-rc.5 Affected: < 7.29.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49356",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T17:22:57.466209Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T17:23:03.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "babel",
          "vendor": "babel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-rc.5"
            },
            {
              "status": "affected",
              "version": "\u003c 7.29.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.2,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T16:07:01.764Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8"
        }
      ],
      "source": {
        "advisory": "GHSA-4x5r-pxfx-6jf8",
        "discovery": "UNKNOWN"
      },
      "title": "Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-49356",
    "datePublished": "2026-06-22T16:07:01.764Z",
    "dateReserved": "2026-05-29T14:35:45.904Z",
    "dateUpdated": "2026-06-22T17:23:03.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-49356",
      "date": "2026-06-28",
      "epss": "0.00116",
      "percentile": "0.01906"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-49356\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-22T18:16:41.107\",\"lastModified\":\"2026-06-26T20:04:23.897\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"babel\",\"product\":\"babel\",\"versions\":[{\"version\":\"\u003e= 8.0.0-alpha.0, \u003c 8.0.0-rc.5\",\"status\":\"affected\"},{\"version\":\"\u003c 7.29.6\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.2,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.4,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":3.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-22T17:22:57.466209Z\",\"id\":\"CVE-2026-49356\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.29.6\",\"matchCriteriaId\":\"7CA3CCF0-1BB3-421B-A45D-8D3846B977B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha0:*:*:*:*:*:*\",\"matchCriteriaId\":\"35F6AF6B-8CB6-40BB-B0AE-32E89718ED8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"DAFA4C96-CD2A-47A5-BA4E-134BA1D366B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha10:*:*:*:*:*:*\",\"matchCriteriaId\":\"BAC310EC-C0CF-4D27-BA54-20B3207B4118\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha11:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E37BB6-34C2-437B-A9DC-018B23F5E7BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha12:*:*:*:*:*:*\",\"matchCriteriaId\":\"B74C4261-EB8F-448D-AF41-CB82246C3EB4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha13:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF7E80E5-B02B-481A-B928-748F4ED680BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha14:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED674570-F784-4DE5-9F47-5692AB00BC14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha15:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E6B4629-E2BA-4ED2-AF0D-ADE873EE9727\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha16:*:*:*:*:*:*\",\"matchCriteriaId\":\"207845B9-8380-4ED7-9AE8-F0C872BBCB7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha17:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CEDA1E8-20C6-448F-8272-D19318FE8033\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"BD426CF6-E4B7-4F65-9968-A485F745E377\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha3:*:*:*:*:*:*\",\"matchCriteriaId\":\"92CE9983-D67E-4DE6-B9EE-CCE55DF615E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha4:*:*:*:*:*:*\",\"matchCriteriaId\":\"66E5DE6B-CD6D-4687-AB1C-90B294DE8DCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha5:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E3BD45A-177D-4006-8820-EEABE6EF03FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha6:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9323EF4-77AA-410A-A2F7-D905C6175A64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha7:*:*:*:*:*:*\",\"matchCriteriaId\":\"67E62B17-72F2-464F-AB14-E7A9F744AC01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha8:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDC6F0F5-3141-41CD-B8D0-13AE9FF4FFEC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:alpha9:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC459C4A-04F3-4521-A7EA-A03A118AA4F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:beta0:*:*:*:*:*:*\",\"matchCriteriaId\":\"35A391E9-F191-47D1-9261-BDDDFF99DB6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"2A97F9D1-C700-419B-83AE-0FC781AA74EB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEA9CFE5-8A05-4C9C-B2C2-E52FDE8748AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"BAA9BB4D-E826-4784-A336-E0C55B062D95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9915F12-E44D-4345-9597-371FC707E89D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"00B61EF2-BE57-4DBA-87FA-A73B7BA6C109\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E405A097-645D-4653-97AD-90F3D0A3F2BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5FFF6F2-3D4A-4E68-A93D-A03F106C0095\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"95EB7702-7577-4926-8EC8-61C02EE3B95D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:babel:babel:8.0.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C0D1707-31BA-4EAF-9B23-9AFB26704BBF\"}]}]}],\"references\":[{\"url\":\"https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-49356\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-22T17:22:57.466209Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-22T17:22:59.765Z\"}}], \"cna\": {\"title\": \"Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core\", \"source\": {\"advisory\": \"GHSA-4x5r-pxfx-6jf8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"babel\", \"product\": \"babel\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 8.0.0-alpha.0, \u003c 8.0.0-rc.5\"}, {\"status\": \"affected\", \"version\": \"\u003c 7.29.6\"}]}], \"references\": [{\"url\": \"https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8\", \"name\": \"https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-22T16:07:01.764Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-49356\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-22T17:23:03.327Z\", \"dateReserved\": \"2026-05-29T14:35:45.904Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-22T16:07:01.764Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-4X5R-PXFX-6JF8

Vulnerability from github – Published: 2026-06-15 17:14 – Updated: 2026-06-15 17:14

Summary

@babel/core: Arbitrary File Read via sourceMappingURL Comment

Details

Impact

Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the path of the source map file that they want to read

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/core@7.29.6 and @babel/core@8.0.0-rc.6.

Workarounds

Callers can mitigate the issue without upgrading by setting inputSourceMap: false in their Babel options.

Callers can also manually extract the #sourceMappingURL comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to inputSourceMap (passing false when it's not).

Credits

Thanks Teodor-Cristian Radoi for reporting the vulnerability.

Severity

3.2 (Low)


                  
                    CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-rc.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-rc.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.29.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.29.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T17:14:14Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Impact\n\nUsing `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true:\n- the attacker controls the input source code\n- the attacker can read the output source code\n- the attacker knows the path of the source map file that they want to read\n\n**Users that only compile trusted code are not impacted.**\n\n## Patches\n\nThe vulnerability has been fixed in `@babel/core@7.29.6` and `@babel/core@8.0.0-rc.6`.\n\n## Workarounds\n\nCallers can mitigate the issue without upgrading by setting [`inputSourceMap: false`](https://babeljs.io/docs/options#inputsourcemap) in their Babel options.\n\nCallers can also manually extract the `#sourceMappingURL` comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to `inputSourceMap` (passing `false` when it\u0027s not).\n\n## Credits\n\nThanks Teodor-Cristian Radoi for reporting the vulnerability.",
  "id": "GHSA-4x5r-pxfx-6jf8",
  "modified": "2026-06-15T17:14:14Z",
  "published": "2026-06-15T17:14:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8"
    },
    {
      "type": "WEB",
      "url": "https://babeljs.io/docs/options#inputsourcemap"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/babel/babel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@babel/core: Arbitrary File Read via sourceMappingURL Comment"
}

MSRC_CVE-2026-49356

Vulnerability from csaf_microsoft - Published: 2026-06-02 00:00 - Updated: 2026-06-27 01:03

Summary

Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-49356

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected products

Under investigation 1 product

Product	Identifier	Version	Remediation
Unresolved product id: 17084-1		—

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-49356 Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-49356.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core",
    "tracking": {
      "current_release_date": "2026-06-27T01:03:30.000Z",
      "generator": {
        "date": "2026-06-28T07:10:57.235Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-49356",
      "initial_release_date": "2026-06-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-06-27T01:03:30.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-49356",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "under_investigation": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-49356 Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-49356.json"
        }
      ],
      "title": "Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-49356 (GCVE-0-2026-49356)

GHSA-4X5R-PXFX-6JF8

Impact

Patches

Workarounds

Credits

MSRC_CVE-2026-49356

Tags

Sightings

Nomenclature