Bug 2491445 (CVE-2026-49356)

Summary: CVE-2026-49356 @babel/core: @babel/core: Arbitrary file read via sourceMappingURL comment
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, akostadi, alizardo, amasferr, amctagga, anthomas, anujha, aoconnor, aschwart, asoldano, aszczucz, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, bniver, boliveir, brasmith, bstansbe, cdrage, cmah, cochase, dbruscin, dkeler, dkuc, dlofthou, dmayorov, doconnor, dranck, drichtar, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, fdeutsch, flucifre, fmariani, ggainey, ggrzybek, gmalinko, gmeno, gparvin, groman, ibolton, istudens, ivassile, iweiss, janstey, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jpasqual, jraez, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lball, lchilton, lphiri, mbenjamin, mcarlett, mhackett, mhulan, mosmerov, mposolda, msvehla, nboldt, ngough, nmoumoul, nwallace, oaljalju, omaciel, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, rchan, rhaigner, rhel-process-autobot, rjohnson, rmartinc, rstancel, rstepani, rushinde, sdawley, sfeifer, simaishi, slucidi, smallamp, smullick, sostapov, sseago, ssilvert, stcannon, sthorger, stirabos, suppawar, tasato, tcunning, teagle, thason, thjenkin, tmalecek, tsedmik, ttakamiy, vdosoudi, vereddy, veshanka, vmuzikar, watson-tool-maintainers, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in @babel/core. This vulnerability allows an attacker, who controls the input source code and can read the output, to perform an arbitrary file read. By compiling maliciously crafted code containing a sourceMappingURL comment, the attacker can read any source map file from the system where Babel is running, leading to information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 18:01:47 UTC
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.