CVE-2025-59341 Overview
CVE-2025-59341 is a Local File Inclusion (LFI) vulnerability in esm.sh, a nobuild content delivery network (CDN) used for modern web development. The flaw affects version 136 and earlier releases of the esm.sh service. Attackers can craft malicious requests that cause the server to read and return files from the host filesystem or other unintended file sources. The vulnerability is categorized under CWE-23 (Relative Path Traversal) and resides in the service URL handling logic of the server/router.go component.
Critical Impact
Remote, unauthenticated attackers can read arbitrary files from the esm.sh host filesystem, exposing source code, configuration data, and secrets without requiring user interaction.
Affected Products
- esm.sh versions 136 and earlier
- Self-hosted esm.sh CDN deployments
- Applications relying on vulnerable esm.sh instances for module delivery
Discovery Timeline
- 2025-09-17 - CVE-2025-59341 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-59341
Vulnerability Analysis
The vulnerability exists in the URL handling logic of esm.sh, specifically within the request router implementation in server/router.go. The service accepts user-controlled path components and uses them to locate files for delivery. Insufficient validation of these path components allows attackers to manipulate the resolved file location.
By crafting requests containing directory traversal sequences or unexpected path constructs, an attacker can break out of the intended module directory. The server then reads files from arbitrary filesystem locations and returns their contents in the HTTP response. This exposes sensitive information including application source code, environment files, private keys, and operating system configuration files.
The issue carries an EPSS probability of 1.458% at the 81st percentile, indicating elevated likelihood of exploitation relative to the broader CVE population.
Root Cause
The root cause is improper sanitization of path segments derived from inbound HTTP requests in the esm.sh router. The code at the referenced line in server/router.go constructs filesystem paths without normalizing traversal sequences or enforcing a strict base directory. This violates the principle of constraining file access to a designated content root.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker sends a single HTTP request to a vulnerable esm.sh endpoint with a crafted URL designed to escape the module serving directory. The server processes the request, reads the targeted file, and returns its contents in the response body.
The vulnerability manifests in the request routing logic referenced in the esm.sh source code. Refer to the GitHub Security Advisory GHSA-49pv-gwxp-532r for full technical details on the affected code path.
Detection Methods for CVE-2025-59341
Indicators of Compromise
- HTTP request URIs containing traversal sequences such as ../, encoded variants like %2e%2e%2f, or absolute path references targeting esm.sh endpoints
- Outbound responses from esm.sh hosts returning content with file signatures matching /etc/passwd, .env, id_rsa, or other sensitive file headers
- Access log entries showing unusual file extensions or paths outside the expected module namespace served by esm.sh
Detection Strategies
- Inspect web server and reverse proxy logs for requests targeting esm.sh routes with path traversal patterns or unexpected characters in module identifiers
- Deploy web application firewall (WAF) signatures that flag directory traversal attempts against the esm.sh URL structure
- Correlate response sizes and content types from esm.sh endpoints to identify anomalous file content being returned to clients
Monitoring Recommendations
- Enable verbose request logging on esm.sh deployments and forward logs to a centralized analytics platform for traversal pattern analysis
- Monitor filesystem access patterns on esm.sh hosts to detect reads outside the designated module cache directory
- Establish alerting on repeated 200-status responses to malformed module paths, which may indicate successful file disclosure
How to Mitigate CVE-2025-59341
Immediate Actions Required
- Upgrade esm.sh to a version later than 136 that contains the fix for the URL handling logic
- Audit esm.sh access logs for prior exploitation attempts and rotate any secrets that may have been exposed through the vulnerable host
- Restrict network exposure of self-hosted esm.sh instances using firewall rules or reverse proxy access controls until patching is complete
Patch Information
The esm.sh maintainers have addressed the vulnerability in releases following version 136. Administrators of self-hosted esm.sh deployments should pull the latest tagged release from the esm.sh repository and redeploy. Public consumers of the esm.sh hosted service receive the fix automatically. Review the GitHub Security Advisory GHSA-49pv-gwxp-532r for full remediation guidance.
Workarounds
- Place a reverse proxy in front of esm.sh that rejects requests containing ../, ..\\, or URL-encoded traversal sequences before they reach the application
- Run the esm.sh process under a dedicated low-privilege user account with filesystem access limited to the module cache directory using mandatory access controls such as AppArmor or SELinux
- Use container isolation with read-only mounts and minimal filesystem layout to reduce the set of files exposable through the LFI condition
# Example nginx reverse proxy filter blocking traversal sequences
location / {
if ($request_uri ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|/%2e%2e)") {
return 403;
}
proxy_pass http://esm_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
