Critical Vulnerability in Babel-Traverse: Arbitrary Code Execution via Malicious Code Compilation

A critical security vulnerability has been identified in the babel-traverse package, a core component of the Babel JavaScript compiler. The vulnerability, tracked as GHSA-67hx-6x53-jw92, allows for arbitrary code execution when Babel compiles specifically crafted malicious code. This poses a severe risk to any application or build process that uses Babel to transpile untrusted source code. The vulnerability is currently marked with no fix available, leaving systems exposed. The impact cascades through the dependency chain: babel-template depends on vulnerable versions of babel-traverse, and babel-plugin-transform-builtin-extend subsequently depends on the vulnerable babel-template. This creates a widespread exposure vector for projects utilizing these common Babel plugins and tools in their development or build pipelines. The advisory indicates the severity is critical, emphasizing the immediate risk of remote code execution.