SCA: security update for @babel/helpers, @babel/runtime, @babel/runtime-corejs2, @babel/runtime-corejs3 (GHSA-968p-4wvh-cqc8)

medium Tenable Cloud Security Plugin ID 421098

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10
and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill
for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e.
the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions
are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on
a regular expression that contains named capturing groups, and the code using untrusted strings as the
second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime`
7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`,
and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core`
7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just
updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds
are available. (CVE-2025-27789)

See Also

https://github.com/advisories/GHSA-968p-4wvh-cqc8

Plugin Details

Severity: Medium

ID: 421098

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 3/12/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.7

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-27789

CVSS v3

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 5.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2025

Vulnerability Publication Date: 1/31/2024

Reference Information

CVE: CVE-2025-27789