SCA: security update for @babel/traverse (GHSA-67hx-6x53-jw92)

high Tenable Self-Hosted Container Security Plugin ID 411278

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4
and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an
attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the
`path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are
`@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any
"polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-
plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-
plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party
plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed
in `@babel/[email protected]` and `@babel/[email protected]`. Those who cannot upgrade
`@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their
latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:
`@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-
provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-
plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3. (CVE-2023-45133)

See Also

https://github.com/advisories/GHSA-67hx-6x53-jw92

Plugin Details

Severity: High

ID: 411278

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.8

Percentile: 99.34

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-45133

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/16/2023

Vulnerability Publication Date: 10/12/2023

Reference Information

CVE: CVE-2023-45133