CVE-2025-27789 (Medium) Detected In Multiple Libraries

Mar 12, 2025 by ADMIN 55 views

Introduction

In this article, we will discuss a recently discovered vulnerability, CVE-2025-27789, which has been detected in multiple libraries. This vulnerability is rated as Medium severity and affects several popular libraries, including runtime-corejs3, runtime, and helpers. We will provide an overview of the vulnerability, its impact, and the suggested fix.

Vulnerable Libraries

The following libraries are affected by this vulnerability:

runtime-corejs3-7.15.3.tgz: This library is a part of the Babel compiler and provides modular runtime helpers with core-js@3 polyfilling.
runtime-7.15.3.tgz: This library is also a part of the Babel compiler and provides modular runtime helpers.
helpers-7.15.3.tgz: This library is a collection of helper functions used by Babel transforms.

Dependency Hierarchy

The dependency hierarchy for these libraries is as follows:

eslint-plugin-jsx-a11y-6.4.1.tgz (Root Library)
- aria-query-4.2.2.tgz
  - runtime-corejs3-7.15.3.tgz (Vulnerable Library)
eslint-plugin-jsx-a11y-6.4.1.tgz (Root Library)
- runtime-7.15.3.tgz (Vulnerable Library)
gatsby-3.12.1.tgz (Root Library)
- core-7.15.0.tgz
  - helpers-7.15.3.tgz (Vulnerable Library)

Vulnerability Details

The vulnerability, CVE-2025-27789, affects Babel versions prior to 7.26.10 and 8.0.0-alpha.17. When using these versions to compile regular expression named capturing groups, Babel generates a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings. This can lead to a denial-of-service (DoS) attack.

CVSS 3 Score Details

The CVSS 3 score for this vulnerability is 6.2, with the following metrics:

Base Score Metrics:
- Exploitability Metrics:
  - Attack Vector: Local
  - Attack Complexity: Low
  - Privileges Required: None
  - User Interaction: None
  - Scope: Unchanged
- Impact Metrics:
  - Confidentiality Impact: None
  - Integrity Impact: None
  - Availability Impact: High

Suggested Fix

The suggested fix for this vulnerability is to upgrade the affected libraries to the latest version. The fix resolution is to upgrade to version 7.26.10.

Conclusion

In conclusion, the CVE-2025-27789 vulnerability affects multiple libraries, including runtime-corejs3, runtime, and helpers. This vulnerability is rated as Medium severity and can lead to a denial-of-service (DoS) attack. The suggested fix is to upgrade the affected libraries to the latest version. It is essential to stay up-to-date with the latest security patches and updates to ensure the security of your applications.

Step up your Open Source Security Game with Mend

To stay ahead of security threats, it is essential to have a robust security strategy in place. Mend provides a comprehensive solution for open-source security, including vulnerability detection, risk assessment, and remediation. To learn more about how Mend can help you improve your open-source security, click here.

Additional Resources

For more information on this vulnerability, please refer to the following resources:

CVE-2025-27789
Babel documentation
CVSS 3 calculator
CVE-2025-27789 (Medium) detected in multiple libraries: Q&A ===========================================================

Introduction

In our previous article, we discussed the CVE-2025-27789 vulnerability, which affects multiple libraries, including runtime-corejs3, runtime, and helpers. In this article, we will provide a Q&A section to help you better understand the vulnerability and its impact.

Q: What is the CVE-2025-27789 vulnerability?

A: The CVE-2025-27789 vulnerability is a medium-severity vulnerability that affects Babel versions prior to 7.26.10 and 8.0.0-alpha.17. When using these versions to compile regular expression named capturing groups, Babel generates a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings.

Q: What are the affected libraries?

A: The following libraries are affected by this vulnerability:

runtime-corejs3-7.15.3.tgz: This library is a part of the Babel compiler and provides modular runtime helpers with core-js@3 polyfilling.
runtime-7.15.3.tgz: This library is also a part of the Babel compiler and provides modular runtime helpers.
helpers-7.15.3.tgz: This library is a collection of helper functions used by Babel transforms.

Q: What is the impact of this vulnerability?

A: The vulnerability can lead to a denial-of-service (DoS) attack, which can cause the application to become unresponsive or crash.

Q: What is the CVSS 3 score for this vulnerability?

A: The CVSS 3 score for this vulnerability is 6.2, with the following metrics:

Base Score Metrics:
- Exploitability Metrics:
  - Attack Vector: Local
  - Attack Complexity: Low
  - Privileges Required: None
  - User Interaction: None
  - Scope: Unchanged
- Impact Metrics:
  - Confidentiality Impact: None
  - Integrity Impact: None
  - Availability Impact: High

Q: What is the suggested fix for this vulnerability?

A: The suggested fix for this vulnerability is to upgrade the affected libraries to the latest version. The fix resolution is to upgrade to version 7.26.10.

Q: How can I prevent this vulnerability in the future?

A: To prevent this vulnerability in the future, you can follow these best practices:

Keep your dependencies up-to-date with the latest versions.
Use a vulnerability scanner to detect potential vulnerabilities in your dependencies.
Regularly review your dependencies and their versions to ensure they are secure.

Q: What resources are available to learn more about this vulnerability?

A: For more information on this vulnerability, please refer to the following resources: