Vulnerabilites related to esm-dev - esm.sh
CVE-2025-59341 (GCVE-0-2025-59341)
Vulnerability from cvelistv5
Published
2025-09-17 17:55
Modified
2025-09-17 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r | x_refsource_CONFIRM | |
| https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59341",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T18:07:46.500692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:09:50.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T17:55:25.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168"
}
],
"source": {
"advisory": "GHSA-49pv-gwxp-532r",
"discovery": "UNKNOWN"
},
"title": "Local File Inclusion in esm.sh"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59341",
"datePublished": "2025-09-17T17:55:25.827Z",
"dateReserved": "2025-09-12T12:36:24.635Z",
"dateUpdated": "2025-09-17T18:09:50.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59342 (GCVE-0-2025-59342)
Vulnerability from cvelistv5
Published
2025-09-17 17:59
Modified
2025-09-17 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-24 - Path Traversal: '../filedir'
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw | x_refsource_CONFIRM | |
| https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 | x_refsource_MISC | |
| https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59342",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T18:19:55.260782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:20:28.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T17:59:34.163Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
}
],
"source": {
"advisory": "GHSA-g2h5-cvvr-7gmw",
"discovery": "UNKNOWN"
},
"title": "esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59342",
"datePublished": "2025-09-17T17:59:34.163Z",
"dateReserved": "2025-09-12T12:36:24.636Z",
"dateUpdated": "2025-09-17T18:20:28.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}