CVE-2026-44728 babel CVE debrief

Who should care

Development teams using Babel in build pipelines, DevOps engineers managing CI/CD infrastructure, security teams assessing supply chain risks in JavaScript ecosystems, and organizations with automated code transformation workflows

Technical summary

The vulnerability exists in Babel's code generation logic when processing specifically crafted JavaScript source. An attacker able to supply malicious input to a Babel compilation process can trigger generation of output code that executes arbitrary commands. This affects automated build systems, development environments, and any context where Babel processes untrusted source code. The attack requires local access and user interaction per CVSS vector, but in CI/CD contexts this may be satisfied by automated processing of repository content.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Babel to version 7.29.4 or later for 7.x installations, or 8.0.0-alpha.13 or later for 8.0 alpha users
• Audit build pipelines for Babel versions in affected range (7.12.0-7.29.3, 8.0.0-alpha.0-8.0.0-alpha.12)
• Review source code inputs to Babel compilation for untrusted or attacker-controlled content
• Implement input validation and sandboxing for Babel compilation of external or untrusted JavaScript
• Monitor for suspicious build-time behavior or unexpected code generation in CI/CD environments

Evidence notes

Official CVE record and NVD entry published 2026-05-26. GitHub Security Advisory GHSA-fv7c-fp4j-7gwp confirms affected versions and fix availability. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H indicates local attack vector with high impact. CWE-94 (Improper Control of Generation of Code) and CWE-843 (Access of Resource Using Incompatible Type) identified as root weaknesses.

Official resources