Bug 2491445 (CVE-2026-49356) - CVE-2026-49356 @babel/core: @babel/core: Arbitrary file read via sourceMappingURL comment
Summary: CVE-2026-49356 @babel/core: @babel/core: Arbitrary file read via sourceMappin...
Keywords:
Status: NEW
Alias: CVE-2026-49356
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-22 18:01 UTC by OSIDB Bzimport
Modified: 2026-06-29 04:53 UTC (History)
137 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-22 18:01:47 UTC 
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.
Note You need to log in before you can comment on or make changes to this bug.