[Security] [GHSA-fv7c-fp4j-7gwp] Arbitrary code execution in `@babel/plugin-transform-modules-systemjs`

[github-actions]

Security Vulnerability Report

Summary

• Package: @babel/plugin-transform-modules-systemjs
• Affected Version: 7.12.0 - 7.29.0 (transitive dependency via @babel/preset-env)
• Severity: HIGH
• Advisory: GHSA-fv7c-fp4j-7gwp
• CVSS Score: 8.2 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
• CWE: CWE-94 (Code Injection), CWE-843 (Type Confusion)

Vulnerability Details

@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input. When processing untrusted source code through the Babel transform pipeline, an attacker-controlled input can cause the plugin to emit arbitrary JavaScript code in the compiled output, leading to code injection.

Impact on gh-aw-firewall

This package is a dev/test dependency used in the Jest/Babel test pipeline (babel-jest, @babel/preset-env). It is not included in the production runtime or Docker container images. The risk is limited to the build/test environment, but could affect CI pipelines if untrusted code is compiled during testing.

Remediation

This vulnerability has been fixed in PR #aw_pr1 which updates @babel/preset-env to 7.29.5, pulling in @babel/plugin-transform-modules-systemjs >=7.29.4.

Command: npm audit fix or npm install @babel/preset-env@7.29.5

Testing Required

• Run full test suite after update
• Verify no regressions in test infrastructure

References

• GHSA-fv7c-fp4j-7gwp

Detection Details

• Detected by: Dependency Security Monitor Workflow
• Detection Time: 2026-05-09T06:31:58Z
• Source: npm audit

Generated by Dependency Security Monitor · ● 568.1K · ◷

• expires on Jun 8, 2026, 6:35 AM UTC