Local File Inclusion Vulnerability in esm.sh Delivery Network
CVE-2025-59341

7.7HIGH

Key Information:

Vendor: Esm-dev
Status: Esm.sh
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-59341?

A Local File Inclusion (LFI) issue has been detected in the esm.sh service's URL handling, affecting version 136 and earlier. This vulnerability allows attackers to send specially crafted requests that can manipulate the server into reading and returning files from the host filesystem or other unintended file sources. This could lead to unauthorized access to sensitive information stored on the system, highlighting the need for prompt updates to secure the affected service.

Affected Version(s)

esm.sh <= 136

References

https://github.com/esm-dev/esm.sh/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff...

x_refsource_MISC

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Sep 12, 2025

Esm-dev

What is CVE-2025-59341?

Affected Version(s)

References

CVSS V4

Timeline