cbcvebase.

Github.Com Esm-Dev Esm.Sh vulnerabilities

9 known vulnerabilities affecting github.com/esm-dev_esm.sh.

Total CVEs
9
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-59341P3HIGHPoC≥ 0, ≤ 1362025-09-17
CVE-2025-59341 [HIGH] CWE-23 esm.sh has File Inclusion issue esm.sh has File Inclusion issue ## Summary A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources). **Severity:** High — LFI can expose secrets, configuration files, credentials, or enable further compromise. **Impact:** reading configuration files, private keys,
ghsaosv
CVE-2025-59342P3MEDIUMPoC≥ 0, < 136.12025-09-17
CVE-2025-59342 [MEDIUM] CWE-24 esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header ## Summary A path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory
ghsaosv
CVE-2025-65025P2HIGH≥ 0, < 0.0.0-20251117232647-9d77b88c32072025-11-19
CVE-2025-65025 [HIGH] CWE-22 esm.sh CDN service has arbitrary file write via tarslip esm.sh CDN service has arbitrary file write via tarslip ### Summary The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., `package/../../tmp/evil.js`). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the serv
ghsaosv
CVE-2026-44593P3CRITICAL≥ 0, < 0.0.0-20260508100112-1960055e1d532026-05-12
CVE-2026-44593 [CRITICAL] CWE-22 esm.sh: Legacy Route Path Traversal Can Lead to RCE esm.sh: Legacy Route Path Traversal Can Lead to RCE ### Impact - Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. ### Exploit The legacy router first retrieves a response from `legacyServer`, parses
ghsa
CVE-2026-27730P3HIGH≥ 0, < 0.0.0-20250616164159-0593516c4cfa2026-02-25
CVE-2026-27730 [HIGH] CWE-918 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route ### Summary An SSRF vulnerability (CWE-918) exists in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains (for example, `127.0.0.1.nip.io` resolving to `127.0.0.1`). This allows an ex
ghsaosv
CVE-2025-65026P3MEDIUM≥ 0, < 0.0.0-20251118065157-87d2f64975742025-11-19
CVE-2025-65026 [MEDIUM] CWE-94 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript ### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the `?module` query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal wi
ghsaosv
CVE-2026-44594P3HIGH≥ 0, < 0.0.0-20250616164159-0593516c4cfa2026-05-12
CVE-2026-44594 [HIGH] CWE-22 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files ### Summary A Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
ghsa
CVE-2026-23644P3HIGH≥ 0.0.1, ≤ 136≥ 0, < 0.0.0-20260116051925-c62ab83c589e2026-01-20
CVE-2026-23644 [HIGH] CWE-22 esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages ### Summary The [commit](https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16) does not actually fix the path traversal bug. `path.Clean` basically normalizes a path but does not prevent absolute paths in a malicious tar file. ### PoC This test
ghsaosv
CVE-2025-50180P3HIGH≥ 0, < 0.0.0-20250616164159-0593516c4cfa2026-02-25
CVE-2025-50180 [HIGH] CWE-918 esm.sh is vulnerable to full-response SSRF esm.sh is vulnerable to full-response SSRF ### Summary esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. ### Details Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511 If the internal address has a suffix listed below, the attacker can obtain content fro
ghsaosv
Github.Com Esm-Dev Esm.Sh vulnerabilities | cvebase