CVE-2025-65026: Esm.sh CDN RCE Vulnerability

CVE-2025-65026 Overview

CVE-2025-65026 is a Template Literal Injection vulnerability (CWE-94) affecting esm.sh, a no-build content delivery network (CDN) for modern web development. The vulnerability exists in esm.sh's CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications.

Critical Impact

This vulnerability allows attackers to inject arbitrary JavaScript code through malicious CSS files, enabling XSS attacks in web browsers and potentially achieving Remote Code Execution in Electron-based applications that import compromised CSS modules.

Affected Products

• esm.sh versions prior to 136

Discovery Timeline

• 2025-11-19 - CVE-2025-65026 published to NVD
• 2026-01-15 - Last updated in NVD database

Technical Details for CVE-2025-65026

Vulnerability Analysis

The esm.sh CDN provides a convenient feature that allows developers to import CSS files as JavaScript modules by appending the ?module query parameter to CSS file URLs. When this parameter is used, the service converts the CSS content into a JavaScript module that can be consumed by modern bundlers and applications.

The vulnerability arises from the way esm.sh handles this conversion process. When transforming CSS content into a JavaScript module, the service embeds the raw CSS content directly into a JavaScript template literal (backtick-enclosed strings). Template literals in JavaScript support expression interpolation through the ${...} syntax, which allows embedded expressions to be evaluated and their results included in the string.

The critical flaw is that esm.sh fails to sanitize or escape CSS content before embedding it into the template literal. This means that if an attacker can control or inject content into a CSS file (or host a malicious CSS file), they can include ${...} expressions that will be executed as JavaScript code when the module is loaded.

Root Cause

The root cause is improper input sanitization (CWE-94: Improper Control of Generation of Code) in the CSS-to-JavaScript module conversion feature. The service directly embeds untrusted CSS content into JavaScript template literals without escaping template literal special characters (backticks and ${ sequences). This allows malicious content within CSS files to break out of the template literal context and execute arbitrary JavaScript code.

Attack Vector

The attack is network-based and requires user interaction. An attacker can exploit this vulnerability through the following attack flow:

1. The attacker creates or compromises a CSS file to include malicious JavaScript expressions using the ${...} syntax
2. A victim application imports this CSS file from esm.sh using the ?module query parameter
3. esm.sh converts the CSS to a JavaScript module, embedding the malicious content directly into a template literal
4. When the victim application loads the module, the injected JavaScript expressions are evaluated and executed

In browser contexts, this results in Cross-Site Scripting (XSS) attacks that can steal cookies, session tokens, or perform actions on behalf of the user. In Electron applications, which have access to Node.js APIs, this can escalate to full Remote Code Execution (RCE) on the victim's system.

Detection Methods for CVE-2025-65026

Indicators of Compromise

• Unusual CSS files containing JavaScript template literal syntax (${...} expressions)
• Network requests to esm.sh CDN with ?module parameter for CSS files from untrusted sources
• JavaScript errors or unexpected code execution when loading CSS modules
• Presence of esm.sh imports for CSS files from external or user-controllable sources

Detection Strategies

• Monitor application dependencies for CSS imports from esm.sh using the ?module parameter
• Implement Content Security Policy (CSP) to restrict script sources and detect unauthorized code execution
• Review application code for dynamic or user-controllable CSS module imports from esm.sh
• Use static analysis tools to identify potentially vulnerable import patterns

Monitoring Recommendations

• Enable CSP violation reporting to detect attempted XSS attacks
• Monitor browser console logs for unexpected JavaScript execution from CSS module imports
• Track esm.sh CDN requests in network logs to identify suspicious CSS module loading patterns
• Implement Subresource Integrity (SRI) checks for critical CDN resources where possible

How to Mitigate CVE-2025-65026

Immediate Actions Required

• Upgrade esm.sh to version 136 or later, which contains the security patch
• Review all application code for CSS imports from esm.sh using the ?module parameter
• Audit third-party CSS files imported through esm.sh for malicious content
• Implement Content Security Policy headers to mitigate potential XSS impact

Patch Information

The vulnerability has been patched in esm.sh version 136. The fix is available in commit 87d2f6497574bf4448641a5527a3ac2beba5fd6c. Organizations should update to the patched version immediately. For detailed patch information, refer to the GitHub Commit Update and the GitHub Security Advisory.

Workarounds

• Avoid using the ?module query parameter for CSS files from untrusted sources until patching
• Self-host critical CSS files instead of relying on the esm.sh CDN for module conversion
• Implement strict Content Security Policy (CSP) headers to limit script execution sources
• For Electron applications, disable Node.js integration in renderer processes where possible to limit RCE impact