Local File Inclusion Vulnerability in esm.sh Delivery Network
CVE-2025-59341

7.7HIGH

Key Information:

Vendor

Esm-dev

Status
Esm.sh
Vendor
CVE Published:
17 September 2025

What is CVE-2025-59341?

CVE-2025-59341 is a significant vulnerability affecting the esm.sh content delivery network (CDN), designed for modern web development without the need for building processes. The vulnerability involves a Local File Inclusion (LFI) issue within the URL handling mechanism of esm.sh. This flaw allows an attacker to craft specific requests that can manipulate the server into reading and returning files from the host’s filesystem or accessing unauthorized file locations. Such exploitation can lead to serious security breaches, enabling the exposure of sensitive information contained within these files. Organizations leveraging esm.sh for content delivery and development resources may find themselves at risk of data leaks or unauthorized access, potentially compromising their operational integrity and data confidentiality.

Potential Impact of CVE-2025-59341

  1. Unauthorized Data Exposure: Exploiting this vulnerability can result in the disclosure of sensitive files from the server's filesystem. This could include configuration files, sensitive credentials, or any other proprietary information, posing a severe risk to organizational security.

  2. System Compromise: The LFI vulnerability may facilitate further attacks, enabling an attacker to gain additional privileges or perform malicious actions on the server. This exploit could lead to full compromise of the affected system, allowing attackers to deploy malware or manipulate server operations.

  3. Reputation Damage: In the event of data breaches or unauthorized access due to this vulnerability, organizations could face significant damage to their reputation. This loss of trust can result in decreased customer confidence, potential legal repercussions, and financial losses tied to remediation efforts and compliance violations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

esm.sh <= 136

References

https://github.com/esm-dev/esm.sh/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.