平台
nodejs
组件
@babel/helpers
修复版本
7.26.11
8.0.1
7.26.10
CVE-2025-27789 is a vulnerability affecting the @babel/helpers package, a core component of Babel, a JavaScript compiler. This vulnerability arises when using regular expression named capturing groups, leading to quadratic complexity in the generated polyfill for the .replace method under specific conditions. The issue impacts applications using Babel to compile code with these features, potentially causing significant performance degradation. Affected versions are those prior to 7.26.10; upgrading to this version resolves the vulnerability.
The core impact of CVE-2025-27789 lies in the potential for denial-of-service (DoS) through performance degradation. When Babel compiles code utilizing regular expression named capturing groups and encounters specific replacement patterns, it generates a polyfill for the .replace method that exhibits quadratic time complexity. This means the execution time of the replacement operation grows proportionally to the square of the input size. An attacker could craft malicious input strings designed to trigger this quadratic behavior, effectively overwhelming the application's resources and rendering it unresponsive. The blast radius is broad, impacting any application relying on Babel to compile code with named capturing groups and vulnerable versions. While not directly exploitable for data theft, the performance impact can disrupt service and potentially lead to cascading failures.
CVE-2025-27789 is not currently listed on the CISA KEV catalog. The EPSS score is likely low to medium, given the lack of public exploits and the requirement for specific input patterns to trigger the vulnerability. As of the publication date (2025-03-11), no public proof-of-concept (PoC) code has been released. The vulnerability's impact is primarily performance-related, making it less attractive to malicious actors compared to vulnerabilities leading to data breaches or remote code execution.
Applications built with Babel and utilizing regular expression named capturing groups are at risk. This includes web applications, Node.js servers, and any other JavaScript projects that rely on Babel for transpilation. Projects using older versions of Babel or those with complex regular expression patterns are particularly vulnerable.
• nodejs: Monitor CPU usage during regular expression operations using tools like top or htop. Look for unexpected spikes correlated with specific input patterns.
top -n 1 | grep babel• nodejs: Inspect Babel configuration files for the use of named capturing groups. Review codebases for instances of .replace calls with complex regular expressions.
• generic web: Monitor application logs for errors or warnings related to performance issues or excessive CPU usage during regular expression processing.
disclosure
漏洞利用状态
EPSS
0.14% (34% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-27789 is to upgrade the @babel/helpers package to version 7.26.10 or later. This version includes a fix that addresses the quadratic complexity issue. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider temporarily limiting the use of regular expression named capturing groups in critical code paths. While not a complete solution, this can reduce the likelihood of triggering the vulnerability. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the compiled code. Detection can be challenging, but monitoring application performance for unexpected spikes in CPU usage during regular expression operations might indicate exploitation.
Actualice las dependencias de Babel a la versión 7.26.10 o superior, o a la versión 8.0.0-alpha.17 o superior. Después de actualizar las dependencias, es crucial recompilar el código para que los cambios surtan efecto. Esto solucionará la vulnerabilidad de complejidad ineficiente en las expresiones regulares.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-27789 is a vulnerability in the @babel/helpers package where using named capturing groups in regular expressions can lead to quadratic complexity, causing performance issues.
You are affected if you use @babel/helpers versions prior to 7.26.10 and your code utilizes regular expression named capturing groups.
Upgrade the @babel/helpers package to version 7.26.10 or later to resolve the vulnerability.
As of the current date, there are no confirmed reports of active exploitation for CVE-2025-27789.
Refer to the official Babel security advisory for details: [https://github.com/babel/babel/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。