esmsh, Local File Inclusion, CVE-2025-59341 (high)

Listen to this Post

The vulnerability arises from improper sanitization in the esm.sh service, which leverages esbuild and package.json to build modules. Specifically, the flaw exists in the `OnResolve` callback of the esbuild plugin used by esm.sh. The service first checks that a resolved file path stays within the package’s working directory. However, after this initial check, the `browser` field in a malicious `package.json` can remap the module path to an attacker-controlled value containing `../` sequences. Because no validation is performed after this remapping, the server employs `path.Join` to combine the package directory with the crafted path, which collapses the `../` sequences. This results in a path that escapes the package directory, allowing the server to read arbitrary system files.
For an attack to succeed, the readable files are constrained by esbuild’s loader: `.json` files must be valid JSON, .txt, .html, and `.md` files are read as raw text, and files without a recognized extension must be valid JavaScript syntax. Non-existent target paths do not cause build errors; instead, the import remains unresolved, enabling the attacker to use a single package as a file existence oracle.
The impact is significant. An attacker can read sensitive system files such as /etc/hostname, /etc/os-release, and critically, the server’s config.json, which may contain npm registry authentication tokens and S3 storage credentials. The exposure of such information could lead to a complete compromise of the server and its associated resources.

DailyCVE Form:

Platform: esm.sh
Version: 136 and earlier
Vulnerability: Path traversal
Severity: High (7.7)
Date: 2025-09-17

Prediction: Already patched

What Undercode Say:

Analytics:

The vulnerability was discovered by Svyatoslav Berestovsky of Metascan. The patch (version 136.1) adds a crucial path validation check. The CVSS score of 7.7 (High) reflects the ease of exploitation and the high confidentiality impact, as the attack requires no privileges or user interaction.

Bash commands and codes related:

Check if a server is vulnerable
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../etc/hostname?raw=1&module=1'
Go command to remediate
go get github.com/esm-dev/esm.sh@latest

Exploit:

The attacker publishes a malicious npm package (e.g., chess-sec-utils1) with a `package.json` containing a `browser` field that maps a local path to a file traversal payload.

"browser": {
"./d1.txt": "../../../../../../../../etc/hostname"
}

When the server processes a request for this package (e.g., /[email protected]), the LFI is triggered. The server returns the requested file’s content in the source map response.

Protection from this CVE:

  1. Immediate Update: Upgrade the esm.sh CDN service to the latest version (beyond version 136).
  2. Strict Input Validation: Sanitize all URL paths involved in file resolution by removing any occurrence of ...
  3. Code Fix: Add a path validation check after the `browser` field remapping to ensure the resolved path still resides within the intended package directory.
    if !strings.HasPrefix(filename, ctx.wd+string(os.PathSeparator)) {
    return esbuild.OnResolveResult{}, fmt.Errorf("path traversal blocked")
    }
    

Impact:

  • An attacker can read arbitrary files from the host filesystem, including sensitive configuration files, private keys, and environment files.
  • This can lead to the disclosure of secrets or credentials, information leakage that could enable further attacks, and potentially a complete server takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top