CVE-2025-59341 Scanner

esm.sh is a popular JavaScript content delivery network (CDN) used for importing modules in various web development projects. It is commonly utilized by web developers to fetch JavaScript libraries and modules directly into their projects. This service allows developers to quickly integrate third-party modules without worrying about the build process. With its support for a range of JavaScript versions, esm.sh facilitates the rapid development and deployment of web applications. The platform aims to simplify module imports, enhancing both the development experience and application performance. esm.sh sees widespread use in both personal and enterprise-level projects due to its ease of use and comprehensive module support.

The vulnerability in question is a Local File Inclusion (LFI) which affects esm.sh. This issue arises from improper URL handling, allowing attackers to read arbitrary files from the host filesystem remotely. The vulnerability does not require authentication, making it particularly concerning. Attackers can exploit this flaw by crafting specific requests that navigate and access system files. Successful exploitation could lead to unauthorized access and disclosure of sensitive information. The vulnerability is significant due to its potential impact and ease of exploitation if the system is not updated.

The LFI vulnerability is specifically triggered by sending a crafted HTTP request to the vulnerable server. By structuring a request that navigates through the server file system, attackers can access critical files such as '/etc/passwd'. This improper handling of URLs permits unauthorized file reading outside the web root directory. The vulnerable endpoint involves appendages of path traversal sequences in requests to access sensitive system files. As per reported cases, the 'matchers' detect successful exploitation by searching for specific patterns in the server's response, indicating file content disclosure.

Exploitation of this LFI vulnerability can have several severe consequences. Attackers may gain access to sensitive files, such as configuration files, passwords, or other sensitive data. This unauthorized access could lead to further attacks, including privilege escalation or data theft. Additionally, disclosure of sensitive server information can assist attackers in planning more sophisticated attacks. The exposure of such data increases the risk of compromised accounts and unauthorized system access, undermining the overall security posture of the affected systems.

REFERENCES

• https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r
• https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168
• https://nvd.nist.gov/vuln/detail/CVE-2025-59341