CVE-2025-27789: Regex Complexity in @babel/helpers
Platform
nodejs
Component
@babel/helpers
Fixed in
7.26.11
8.0.1
7.26.10
CVE-2025-27789 is a vulnerability affecting the @babel/helpers package, a core component of Babel, a JavaScript compiler. This vulnerability arises when using regular expression named capturing groups, leading to quadratic complexity in the generated polyfill for the .replace method under specific conditions. The issue impacts applications using Babel to compile code with these features, potentially causing significant performance degradation. Affected versions are those prior to 7.26.10; upgrading to this version resolves the vulnerability.
Impact and Attack Scenarios
The core impact of CVE-2025-27789 lies in the potential for denial-of-service (DoS) through performance degradation. When Babel compiles code utilizing regular expression named capturing groups and encounters specific replacement patterns, it generates a polyfill for the .replace method that exhibits quadratic time complexity. This means the execution time of the replacement operation grows proportionally to the square of the input size. An attacker could craft malicious input strings designed to trigger this quadratic behavior, effectively overwhelming the application's resources and rendering it unresponsive. The blast radius is broad, impacting any application relying on Babel to compile code with named capturing groups and vulnerable versions. While not directly exploitable for data theft, the performance impact can disrupt service and potentially lead to cascading failures.
Exploitation Context
CVE-2025-27789 is not currently listed on the CISA KEV catalog. The EPSS score is likely low to medium, given the lack of public exploits and the requirement for specific input patterns to trigger the vulnerability. As of the publication date (2025-03-11), no public proof-of-concept (PoC) code has been released. The vulnerability's impact is primarily performance-related, making it less attractive to malicious actors compared to vulnerabilities leading to data breaches or remote code execution.
Threat Intelligence
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Local — attacker needs a local shell or interactive session on the system.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-27789 is to upgrade the @babel/helpers package to version 7.26.10 or later. This version includes a fix that addresses the quadratic complexity issue. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider temporarily limiting the use of regular expression named capturing groups in critical code paths. While not a complete solution, this can reduce the likelihood of triggering the vulnerability. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the compiled code. Detection can be challenging, but monitoring application performance for unexpected spikes in CPU usage during regular expression operations might indicate exploitation.
How to fix
Update Babel dependencies to version 7.26.10 or higher, or to version 8.0.0-alpha.17 or higher. After updating the dependencies, it is crucial to recompile the code for the changes to take effect. This will fix the inefficient regular expression complexity vulnerability.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-27789 — Regex Complexity in @babel/helpers?
CVE-2025-27789 is a vulnerability in the @babel/helpers package where using named capturing groups in regular expressions can lead to quadratic complexity, causing performance issues.
Am I affected by CVE-2025-27789 in @babel/helpers?
You are affected if you use @babel/helpers versions prior to 7.26.10 and your code utilizes regular expression named capturing groups.
How do I fix CVE-2025-27789 in @babel/helpers?
Upgrade the @babel/helpers package to version 7.26.10 or later to resolve the vulnerability.
Is CVE-2025-27789 being actively exploited?
As of the current date, there are no confirmed reports of active exploitation for CVE-2025-27789.
Where can I find the official @babel/helpers advisory for CVE-2025-27789?
Refer to the official Babel security advisory for details: [https://github.com/babel/babel/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.