CVE-2025-27789: Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups

Published Mar 11, 2025
·
Updated

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true: - You use Babel to compile regular expression named capturing groups - You use the .replace method on a regular expression that contains named capturing groups - Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if: - you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23 - you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

Other sources

Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the .replace method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of .replace. This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on @babel/helpers, and instead depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees use of a new enough @babel/helpers version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.

MITRE

Affected Software

9 affected componentsFixes available
Babel Babel<7.26.10, <8.0.0-alpha.17
Babel @babel/core<7.26.10
npm/@babel/runtime-corejs3>=8.0.0-alpha.0<8.0.0-alpha.16
8.0.0-alpha.17
npm/@babel/runtime>=8.0.0-alpha.0<8.0.0-alpha.16
8.0.0-alpha.17
npm/@babel/helpers>=8.0.0-alpha.0<8.0.0-alpha.16
8.0.0-alpha.17
npm/@babel/runtime-corejs3<7.26.10
7.26.10
npm/@babel/runtime<7.26.10
7.26.10
npm/@babel/helpers<7.26.10
7.26.10
IBM Edge Application Manager<=4.5

Event History

Mar 11, 2025
CVE Published
via MITRE·07:09 PM
Data Sourced
via MITRE·07:09 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·08:30 PM
Aug 20, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-27789?

CVE-2025-27789 has a high severity due to potential performance issues caused by quadratic complexity in the polyfill.

2

How do I fix CVE-2025-27789?

To fix CVE-2025-27789, you should upgrade Babel to version 7.26.10 or later, or to 8.0.0-alpha.17 or later.

3

What products are affected by CVE-2025-27789?

CVE-2025-27789 affects Babel versions prior to 7.26.10 and 8.0.0-alpha.17, including @babel/core.

4

What is the impact of CVE-2025-27789?

The impact of CVE-2025-27789 includes significant performance degradation when using named capturing groups in regular expressions.

5

When was CVE-2025-27789 published?

CVE-2025-27789 was published as part of ongoing security advisories for Babel, highlighting issues discovered in previous versions.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203