Esm-Dev Esm.Sh vulnerabilities
9 known vulnerabilities affecting esm-dev/esm.sh.
Total CVEs
9
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH6MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-59341P3HIGHCVSS 7.7PoC≤ 1362025-09-17
CVE-2025-59341 [HIGH] CWE-23 CVE-2025-59341: esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
nvd
CVE-2025-59342P3MEDIUMCVSS 5.5PoC≤ 1362025-09-17
CVE-2025-59342 [MEDIUM] CWE-24 CVE-2025-59342: esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or r
nvd
CVE-2025-65025P2CRITICALCVSS 9.8fixed in 1362025-11-19
CVE-2025-65025 [CRITICAL] CWE-22 CVE-2025-65025: esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136,
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts t
nvd
CVE-2026-44593P3HIGHCVSS 8.7≤ 1372026-05-28
CVE-2026-44593 [HIGH] CWE-22 CVE-2026-44593: esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the leg
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When
nvd
CVE-2026-27730P3HIGHCVSS 7.5≤ 1372026-02-25
CVE-2026-27730 [HIGH] CWE-918 CVE-2026-27730: esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and includin
esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an exter
nvd
CVE-2025-65026P3CRITICALCVSS 9.6fixed in 1362025-11-19
CVE-2025-65026 [CRITICAL] CWE-94 CVE-2025-65026: esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136,
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embeddi
nvd
CVE-2026-44594P3HIGHCVSS 7.5≤ 1372026-05-28
CVE-2026-44594 [HIGH] CWE-22 CVE-2026-44594: esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build p
nvd
CVE-2026-23644P3HIGHCVSS 7.5fixed in 0.0.0-20260116051925-c62ab83c589e2026-01-18
CVE-2026-23644 [HIGH] CWE-22 CVE-2026-23644: esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion
esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b8
nvd
CVE-2025-50180P3HIGHCVSS 7.5v= 1362026-02-25
CVE-2025-50180 [HIGH] CWE-918 CVE-2025-50180: esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is v
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
nvd