Search criteria
9 vulnerabilities by esm-dev
CVE-2026-44594 (GCVE-0-2026-44594)
Vulnerability from cvelistv5 – Published: 2026-05-28 14:45 – Updated: 2026-05-28 15:31
VLAI
Title
esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
Summary
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
Severity
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44594",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:31:13.584346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:31:19.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 137"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin\u0027s handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:45:04.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57"
}
],
"source": {
"advisory": "GHSA-rg65-45m7-hq57",
"discovery": "UNKNOWN"
},
"title": "esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44594",
"datePublished": "2026-05-28T14:45:04.948Z",
"dateReserved": "2026-05-06T21:49:12.426Z",
"dateUpdated": "2026-05-28T15:31:19.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44593 (GCVE-0-2026-44593)
Vulnerability from cvelistv5 – Published: 2026-05-28 14:44 – Updated: 2026-05-28 14:44
VLAI
Title
esm.sh: Legacy Route Path Traversal Can Lead to RCE
Summary
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 137"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:44:20.782Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465"
}
],
"source": {
"advisory": "GHSA-3636-h3vx-6465",
"discovery": "UNKNOWN"
},
"title": "esm.sh: Legacy Route Path Traversal Can Lead to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44593",
"datePublished": "2026-05-28T14:44:20.782Z",
"dateReserved": "2026-05-06T21:49:12.425Z",
"dateUpdated": "2026-05-28T14:44:20.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27730 (GCVE-0-2026-27730)
Vulnerability from cvelistv5 – Published: 2026-02-25 15:37 – Updated: 2026-02-25 20:32
VLAI
Title
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
Summary
esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.
Severity
8.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27730",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T20:31:47.872081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T20:32:05.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 137"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh\u2019s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:37:01.753Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r"
}
],
"source": {
"advisory": "GHSA-p2v6-84h2-5x4r",
"discovery": "UNKNOWN"
},
"title": "esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27730",
"datePublished": "2026-02-25T15:37:01.753Z",
"dateReserved": "2026-02-23T18:37:14.789Z",
"dateUpdated": "2026-02-25T20:32:05.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-50180 (GCVE-0-2025-50180)
Vulnerability from cvelistv5 – Published: 2026-02-25 15:32 – Updated: 2026-02-27 18:22
VLAI
Title
esm.sh is vulnerable to full-response SSRF
Summary
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/pull/1149 | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/commit/0593516c… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/blob/f80ff8c8d5… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/blob/f80ff8c8d5… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/releases/tag/v137 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50180",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:22:22.078547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:22:28.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "= 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:36:03.109Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4"
},
{
"name": "https://github.com/esm-dev/esm.sh/pull/1149",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/pull/1149"
},
{
"name": "https://github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511"
},
{
"name": "https://github.com/esm-dev/esm.sh/releases/tag/v137",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/releases/tag/v137"
}
],
"source": {
"advisory": "GHSA-3c9r-837r-qqm4",
"discovery": "UNKNOWN"
},
"title": "esm.sh is vulnerable to full-response SSRF"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-50180",
"datePublished": "2026-02-25T15:32:56.449Z",
"dateReserved": "2025-06-13T19:17:51.726Z",
"dateUpdated": "2026-02-27T18:22:28.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23644 (GCVE-0-2026-23644)
Vulnerability from cvelistv5 – Published: 2026-01-18 22:49 – Updated: 2026-01-20 20:06
VLAI
Title
esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages
Summary
esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/commit/9d77b88c… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/commit/c62ab83c… | x_refsource_MISC |
| https://pkg.go.dev/vuln/GO-2025-4138 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:04:08.412888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:06:58.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.0-20260116051925-c62ab83c589e"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-18T22:49:29.676Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq"
},
{
"name": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16"
},
{
"name": "https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093"
},
{
"name": "https://pkg.go.dev/vuln/GO-2025-4138",
"tags": [
"x_refsource_MISC"
],
"url": "https://pkg.go.dev/vuln/GO-2025-4138"
}
],
"source": {
"advisory": "GHSA-2657-3c98-63jq",
"discovery": "UNKNOWN"
},
"title": "esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23644",
"datePublished": "2026-01-18T22:49:29.676Z",
"dateReserved": "2026-01-14T16:08:37.484Z",
"dateUpdated": "2026-01-20T20:06:58.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65026 (GCVE-0-2025-65026)
Vulnerability from cvelistv5 – Published: 2025-11-19 17:33 – Updated: 2025-11-20 14:19
VLAI
Title
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136.
Severity
6.1 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/commit/87d2f649… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T14:19:05.465613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T14:19:17.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T17:33:11.469Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp"
},
{
"name": "https://github.com/esm-dev/esm.sh/commit/87d2f6497574bf4448641a5527a3ac2beba5fd6c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/commit/87d2f6497574bf4448641a5527a3ac2beba5fd6c"
}
],
"source": {
"advisory": "GHSA-hcpf-qv9m-vfgp",
"discovery": "UNKNOWN"
},
"title": "esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65026",
"datePublished": "2025-11-19T17:33:11.469Z",
"dateReserved": "2025-11-13T15:36:51.682Z",
"dateUpdated": "2025-11-20T14:19:17.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65025 (GCVE-0-2025-65025)
Vulnerability from cvelistv5 – Published: 2025-11-19 17:32 – Updated: 2025-11-20 14:09
VLAI
Title
esm.sh CDN service has arbitrary file write via tarslip
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.
Severity
8.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/commit/9d77b88c… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65025",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T14:09:39.459957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T14:09:44.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T17:32:46.835Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw"
},
{
"name": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16"
}
],
"source": {
"advisory": "GHSA-h3mw-4f23-gwpw",
"discovery": "UNKNOWN"
},
"title": "esm.sh CDN service has arbitrary file write via tarslip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65025",
"datePublished": "2025-11-19T17:32:46.835Z",
"dateReserved": "2025-11-13T15:36:51.682Z",
"dateUpdated": "2025-11-20T14:09:44.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59342 (GCVE-0-2025-59342)
Vulnerability from cvelistv5 – Published: 2025-09-17 17:59 – Updated: 2026-01-14 15:52
VLAI
Title
esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
Severity
CWE
- CWE-24 - Path Traversal: '../filedir'
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/commit/833a29f4… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/blob/main/serve… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/blob/main/serve… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59342",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T18:19:55.260782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:20:28.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T15:52:09.174Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
},
{
"name": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
}
],
"source": {
"advisory": "GHSA-g2h5-cvvr-7gmw",
"discovery": "UNKNOWN"
},
"title": "esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59342",
"datePublished": "2025-09-17T17:59:34.163Z",
"dateReserved": "2025-09-12T12:36:24.636Z",
"dateUpdated": "2026-01-14T15:52:09.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59341 (GCVE-0-2025-59341)
Vulnerability from cvelistv5 – Published: 2025-09-17 17:55 – Updated: 2025-09-17 18:09
VLAI
Title
Local File Inclusion in esm.sh
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
Severity
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/blob/c62f191d32… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59341",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T18:07:46.500692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:09:50.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T17:55:25.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168"
}
],
"source": {
"advisory": "GHSA-49pv-gwxp-532r",
"discovery": "UNKNOWN"
},
"title": "Local File Inclusion in esm.sh"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59341",
"datePublished": "2025-09-17T17:55:25.827Z",
"dateReserved": "2025-09-12T12:36:24.635Z",
"dateUpdated": "2025-09-17T18:09:50.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}