Github.Com Esm-Dev Esm.Sh vulnerabilities
9 known vulnerabilities affecting github.com/esm-dev_esm.sh.
Total CVEs
9
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-59341P3HIGHPoC≥ 0, ≤ 1362025-09-17
CVE-2025-59341 [HIGH] CWE-23 esm.sh has File Inclusion issue
esm.sh has File Inclusion issue
## Summary
A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
**Severity:** High — LFI can expose secrets, configuration files, credentials, or enable further compromise.
**Impact:** reading configuration files, private keys,
ghsaosv
CVE-2025-59342P3MEDIUMPoC≥ 0, < 136.12025-09-17
CVE-2025-59342 [MEDIUM] CWE-24 esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
## Summary
A path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory
ghsaosv
CVE-2025-65025P2HIGH≥ 0, < 0.0.0-20251117232647-9d77b88c32072025-11-19
CVE-2025-65025 [HIGH] CWE-22 esm.sh CDN service has arbitrary file write via tarslip
esm.sh CDN service has arbitrary file write via tarslip
### Summary
The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction.
An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., `package/../../tmp/evil.js`).
When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the serv
ghsaosv
CVE-2026-44593P3CRITICAL≥ 0, < 0.0.0-20260508100112-1960055e1d532026-05-12
CVE-2026-44593 [CRITICAL] CWE-22 esm.sh: Legacy Route Path Traversal Can Lead to RCE
esm.sh: Legacy Route Path Traversal Can Lead to RCE
### Impact
- Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for.
- Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges.
### Exploit
The legacy router first retrieves a response from `legacyServer`, parses
ghsa
CVE-2026-27730P3HIGH≥ 0, < 0.0.0-20250616164159-0593516c4cfa2026-02-25
CVE-2026-27730 [HIGH] CWE-918 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
### Summary
An SSRF vulnerability (CWE-918) exists in esm.sh’s `/http(s)` fetch route.
The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains (for example, `127.0.0.1.nip.io` resolving to `127.0.0.1`).
This allows an ex
ghsaosv
CVE-2025-65026P3MEDIUM≥ 0, < 0.0.0-20251118065157-87d2f64975742025-11-19
CVE-2025-65026 [MEDIUM] CWE-94 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
### Summary
The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature.
When a CSS file is requested with the `?module` query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal wi
ghsaosv
CVE-2026-44594P3HIGH≥ 0, < 0.0.0-20250616164159-0593516c4cfa2026-05-12
CVE-2026-44594 [HIGH] CWE-22 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
### Summary
A Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
ghsa
CVE-2026-23644P3HIGH≥ 0.0.1, ≤ 136≥ 0, < 0.0.0-20260116051925-c62ab83c589e2026-01-20
CVE-2026-23644 [HIGH] CWE-22 esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages
esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages
### Summary
The [commit](https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16) does not actually fix the path traversal bug. `path.Clean` basically normalizes a path but does not prevent absolute paths in a malicious tar file.
### PoC
This test
ghsaosv
CVE-2025-50180P3HIGH≥ 0, < 0.0.0-20250616164159-0593516c4cfa2026-02-25
CVE-2025-50180 [HIGH] CWE-918 esm.sh is vulnerable to full-response SSRF
esm.sh is vulnerable to full-response SSRF
### Summary
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
### Details
Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
If the internal address has a suffix listed below, the attacker can obtain content fro
ghsaosv