CVE-2025-27789

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-27789
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27789.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-27789
Aliases
Downstream
Related
Published
2025-03-11T19:09:28.146Z
Modified
2026-01-08T12:11:12.880435Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
Details

Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the .replace method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of .replace. This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on @babel/helpers, and instead depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees use of a new enough @babel/helpers version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.

Database specific 
{
    "cwe_ids": [
        "CWE-1333"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27789.json"
}
References

Affected packages

Git / github.com/babel/babel

Affected ranges

Type
GIT
Repo
https://github.com/babel/babel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e1ce99df422971175249509e7bbc2b327b8f7957
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.26.10"
        }
    ]
}
Type
GIT
Repo
https://github.com/babel/babel
Events
Introduced
bdbaca37bf5ec7fb879e729b39d48673f45842f3
Fixed
786b4357423fb650084503352648af44c8ffc409
Database specific 
{
    "versions": [
        {
            "introduced": "8.0.0-alpha.0"
        },
        {
            "fixed": "8.0.0-alpha.17"
        }
    ]
}

Affected versions

@babel/core@7.*

@babel/core@7.23.2

babel-eslint-v11.*

babel-eslint-v11.0.0-beta.1

v1.*

v1.10.1
v1.10.10
v1.10.11
v1.10.12
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.10.6
v1.10.7
v1.10.8
v1.10.9
v1.11.0
v1.11.1
v1.11.10
v1.11.11
v1.11.12
v1.11.13
v1.11.14
v1.11.15
v1.11.2
v1.11.3
v1.11.4
v1.11.5
v1.11.6
v1.11.7
v1.11.8
v1.11.9
v1.12.0
v1.12.1
v1.12.10
v1.12.11
v1.12.12
v1.12.13
v1.12.14
v1.12.15
v1.12.16
v1.12.17
v1.12.18
v1.12.19
v1.12.2
v1.12.20
v1.12.21
v1.12.22
v1.12.23
v1.12.24
v1.12.25
v1.12.26
v1.12.3
v1.12.4
v1.12.5
v1.12.6
v1.12.7
v1.12.8
v1.12.9
v1.13.0
v1.13.1
v1.13.10
v1.13.11
v1.13.12
v1.13.13
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.13.7
v1.13.8
v1.13.9
v1.14.0
v1.14.1
v1.14.10
v1.14.11
v1.14.12
v1.14.13
v1.14.14
v1.14.15
v1.14.16
v1.14.17
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9
v1.15.0
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.15
v1.7.16
v1.7.17
v1.7.7
v1.7.9
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9

v2.*

v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.1.0
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.11.2
v2.11.3
v2.11.4
v2.12.0
v2.12.1
v2.12.2
v2.12.3
v2.12.4
v2.12.5
v2.12.6
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.13.6
v2.13.7
v2.2.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.10
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4

v3.*

v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.3.0
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.5.2
v3.5.3
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.6.5

v4.*

v4.0.1
v4.0.2
v4.1.1
v4.2.0
v4.2.1
v4.3.0
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.6.4
v4.6.5
v4.6.6
v4.7.0
v4.7.1
v4.7.10
v4.7.11
v4.7.12
v4.7.13
v4.7.14
v4.7.15
v4.7.16
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.7.6
v4.7.7
v4.7.8
v4.7.9

v5.*

v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.1
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.1.10
v5.1.11
v5.1.12
v5.1.13
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7
v5.1.8
v5.1.9
v5.2.0
v5.2.1
v5.2.10
v5.2.11
v5.2.12
v5.2.13
v5.2.14
v5.2.15
v5.2.16
v5.2.17
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v5.4.7
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.5.5
v5.5.6
v5.5.7
v5.5.8
v5.6.0
v5.6.1
v5.6.10
v5.6.11
v5.6.12
v5.6.13
v5.6.14
v5.6.15
v5.6.16
v5.6.17
v5.6.18
v5.6.19
v5.6.2
v5.6.20
v5.6.21
v5.6.23
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.6.7
v5.6.8
v5.6.9
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.8.0
v5.8.1
v5.8.10
v5.8.11
v5.8.12
v5.8.13
v5.8.14
v5.8.15
v5.8.16
v5.8.17
v5.8.18
v5.8.19
v5.8.2
v5.8.20
v5.8.21
v5.8.22
v5.8.23
v5.8.24
v5.8.25
v5.8.26
v5.8.27
v5.8.28
v5.8.29
v5.8.3
v5.8.30
v5.8.31
v5.8.32
v5.8.33
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.8.8
v5.8.9

v6.*

v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.17
v6.0.18
v6.0.19
v6.0.2
v6.0.20
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.0
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.10.0
v6.10.1
v6.10.2
v6.10.3
v6.10.4
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.12.0
v6.13.0
v6.13.1
v6.13.2
v6.14.0
v6.15.0
v6.16.0
v6.16.1
v6.16.2
v6.16.3
v6.17.0
v6.18.0
v6.18.1
v6.18.2
v6.19.0
v6.2.0
v6.2.1
v6.2.2
v6.20.0
v6.20.1
v6.20.2
v6.20.3
v6.21.0
v6.21.1
v6.22.0
v6.22.1
v6.22.2
v6.23.0
v6.23.1
v6.24.0
v6.24.1
v6.25.0
v6.26.0
v6.3.0
v6.3.1
v6.3.10
v6.3.13
v6.3.14
v6.3.15
v6.3.16
v6.3.17
v6.3.18
v6.3.19
v6.3.2
v6.3.20
v6.3.21
v6.3.23
v6.3.24
v6.3.25
v6.3.26
v6.3.8
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.5.0
v6.5.1
v6.5.2
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.8.0
v6.8.1
v6.9.0
v6.9.1
v6.9.2

v7.*

v7.0.0
v7.0.0-alpha.1
v7.0.0-alpha.10
v7.0.0-alpha.11
v7.0.0-alpha.12
v7.0.0-alpha.15
v7.0.0-alpha.16
v7.0.0-alpha.17
v7.0.0-alpha.18
v7.0.0-alpha.19
v7.0.0-alpha.20
v7.0.0-alpha.3
v7.0.0-alpha.4
v7.0.0-alpha.5
v7.0.0-alpha.6
v7.0.0-alpha.7
v7.0.0-alpha.8
v7.0.0-alpha.9
v7.0.0-beta.0
v7.0.0-beta.1
v7.0.0-beta.2
v7.0.0-beta.3
v7.0.0-beta.31
v7.0.0-beta.32
v7.0.0-beta.33
v7.0.0-beta.34
v7.0.0-beta.35
v7.0.0-beta.36
v7.0.0-beta.37
v7.0.0-beta.38
v7.0.0-beta.39
v7.0.0-beta.4
v7.0.0-beta.40
v7.0.0-beta.41
v7.0.0-beta.42
v7.0.0-beta.43
v7.0.0-beta.44
v7.0.0-beta.45
v7.0.0-beta.46
v7.0.0-beta.47
v7.0.0-beta.48
v7.0.0-beta.49
v7.0.0-beta.5
v7.0.0-beta.50
v7.0.0-beta.51
v7.0.0-beta.52
v7.0.0-beta.53
v7.0.0-beta.54
v7.0.0-beta.55
v7.0.0-beta.56
v7.0.0-rc.0
v7.0.0-rc.1
v7.0.0-rc.2
v7.0.0-rc.3
v7.0.0-rc.4
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.10.0
v7.10.1
v7.10.2
v7.10.3
v7.10.4
v7.10.5
v7.11.0
v7.11.1
v7.11.2
v7.11.3
v7.11.4
v7.11.5
v7.11.6
v7.12.0
v7.12.1
v7.12.10
v7.12.11
v7.12.12
v7.12.13
v7.12.14
v7.12.15
v7.12.16
v7.12.17
v7.12.18
v7.12.2
v7.12.3
v7.12.4
v7.12.5
v7.12.6
v7.12.7
v7.12.8
v7.12.9
v7.13.0
v7.13.1
v7.13.10
v7.13.11
v7.13.12
v7.13.13
v7.13.14
v7.13.15
v7.13.16
v7.13.17
v7.13.2
v7.13.3
v7.13.4
v7.13.5
v7.13.6
v7.13.7
v7.13.8
v7.13.9
v7.14.0
v7.14.1
v7.14.2
v7.14.3
v7.14.4
v7.14.5
v7.14.6
v7.14.7
v7.14.8
v7.14.9
v7.15.0
v7.15.1
v7.15.2
v7.15.3
v7.15.4
v7.15.5
v7.15.6
v7.15.7
v7.15.8
v7.16.0
v7.16.1
v7.16.10
v7.16.11
v7.16.12
v7.16.2
v7.16.3
v7.16.4
v7.16.5
v7.16.6
v7.16.7
v7.16.8
v7.16.9
v7.17.0
v7.17.1
v7.17.10
v7.17.11
v7.17.12
v7.17.2
v7.17.3
v7.17.4
v7.17.5
v7.17.6
v7.17.7
v7.17.8
v7.17.9
v7.18.0
v7.18.1
v7.18.10
v7.18.11
v7.18.12
v7.18.13
v7.18.2
v7.18.3
v7.18.4
v7.18.5
v7.18.6
v7.18.7
v7.18.8
v7.18.9
v7.19.0
v7.19.1
v7.19.2
v7.19.3
v7.19.4
v7.19.5
v7.19.6
v7.2.0
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.20.0
v7.20.1
v7.20.10
v7.20.11
v7.20.12
v7.20.13
v7.20.14
v7.20.15
v7.20.2
v7.20.3
v7.20.4
v7.20.5
v7.20.6
v7.20.7
v7.20.8
v7.20.9
v7.21.0
v7.21.1
v7.21.2
v7.21.3
v7.21.4
v7.21.5
v7.21.6
v7.21.7
v7.21.8
v7.21.9
v7.22.0
v7.22.1
v7.22.10
v7.22.11
v7.22.12
v7.22.13
v7.22.14
v7.22.15
v7.22.16
v7.22.17
v7.22.18
v7.22.19
v7.22.2
v7.22.20
v7.22.3
v7.22.4
v7.22.5
v7.22.6
v7.22.7
v7.22.8
v7.22.9
v7.23.0
v7.23.1
v7.23.10
v7.23.2
v7.23.3
v7.23.4
v7.23.5
v7.23.6
v7.23.7
v7.23.8
v7.23.9
v7.24.0
v7.24.1
v7.24.10
v7.24.2
v7.24.3
v7.24.4
v7.24.5
v7.24.6
v7.24.7
v7.24.8
v7.24.9
v7.25.0
v7.25.1
v7.25.2
v7.25.3
v7.25.4
v7.25.5
v7.25.6
v7.25.7
v7.25.8
v7.25.9
v7.26.0
v7.26.1
v7.26.2
v7.26.3
v7.26.4
v7.26.5
v7.26.6
v7.26.7
v7.26.8
v7.26.9
v7.3.0
v7.3.1
v7.3.2
v7.3.3
v7.3.4
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.6.0
v7.6.1
v7.6.2
v7.6.3
v7.6.4
v7.7.0
v7.7.1
v7.7.2
v7.7.3
v7.7.4
v7.7.5
v7.7.6
v7.7.7
v7.8.0
v7.8.1
v7.8.2
v7.8.3
v7.8.4
v7.8.5
v7.8.6
v7.8.7
v7.8.8
v7.9.0
v7.9.1
v7.9.2
v7.9.3
v7.9.4
v7.9.5
v7.9.6

v8.*

v8.0.0-alpha.1
v8.0.0-alpha.10
v8.0.0-alpha.11
v8.0.0-alpha.12
v8.0.0-alpha.13
v8.0.0-alpha.14
v8.0.0-alpha.15
v8.0.0-alpha.16
v8.0.0-alpha.2
v8.0.0-alpha.3
v8.0.0-alpha.4
v8.0.0-alpha.5
v8.0.0-alpha.6
v8.0.0-alpha.7
v8.0.0-alpha.8
v8.0.0-alpha.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27789.json"