CVE-2025-59341
published 2025-09-17CVE-2025-59341: esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the…
PriorityP357high7.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.53%
71.5th percentile
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esm-dev | esm.sh | <= 136 | — |
| github.com | esm-dev_esm.sh | 0 – 136 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh
osv·2025-09-24
CVE-2025-59341 esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh
esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh
esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh
GHSA
esm.sh has File Inclusion issue
ghsa·2025-09-17
CVE-2025-59341 [HIGH] CWE-23 esm.sh has File Inclusion issue
esm.sh has File Inclusion issue
## Summary
A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
**Severity:** High — LFI can expose secrets, configuration files, credentials, or enable further compromise.
**Impact:** reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.
Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168
---
## Proof of Concept
1. Using this default config file that I copy from
OSV
esm.sh has File Inclusion issue
osv·2025-09-17
CVE-2025-59341 [HIGH] esm.sh has File Inclusion issue
esm.sh has File Inclusion issue
## Summary
A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
**Severity:** High — LFI can expose secrets, configuration files, credentials, or enable further compromise.
**Impact:** reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.
Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168
---
## Proof of Concept
1. Using this default config file that I copy from
No detection rules found.
Nuclei
esm.sh <= v136 - Local File Inclusion
nuclei·CVSS 7.7
CVE-2025-59341 [HIGH] esm.sh <= v136 - Local File Inclusion
esm.sh <= v136 - Local File Inclusion
esm.sh <= 136 contains a local file inclusion caused by improper URL handling, letting attackers read arbitrary files from the host filesystem remotely, exploit requires crafted request.
Template:
id: CVE-2025-59341
info:
name: esm.sh <= v136 - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
esm.sh <= 136 contains a local file inclusion caused by improper URL handling, letting attackers read arbitrary files from the host filesystem remotely, exploit requires crafted request.
impact: |
Attackers can read arbitrary files from the server, potentially exposing sensitive information.
remediation: |
Update esm.sh to a version later than 136 or the latest available version.
reference:
- https://github.com/esm-dev/esm.sh/security/adviso
No writeups or analysis indexed.
2025-09-17
Published