Description
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local file inclusion flaw in the esbuild plugin’s handling of the browser field defined in a package.json file. An attacker can create and publish a malicious npm package that, during the CDN’s build process, causes the server to read and return arbitrary files from the host filesystem. This flaw exposes confidential server data; the description indicates that authentication is not required, though this is inferred and not explicitly stated, and can undermine the confidentiality of the deployment environment.

Affected Systems

The affected system is esm.sh, a no-build CDN for web development. All releases of the esbuild plugin version 137 and earlier are vulnerable.

Risk and Exploitability

The CVSS score of 7.5 classifies this as a high‑severity weakness. Exploitation requires the ability to publish a package to the npm registry that points to esm.sh, a capability that can be exercised by any external attacker. While the EPSS score is not available, the known public exploit path (via publishing a malicious package) indicates a realistic threat. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 28, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade esm.sh to esbuild plugin version 138 or later to eliminate the LFI flaw.
  • If an upgrade is temporarily infeasible, remove or sanitize the browser field in package.json files served by esm.sh to prevent the plugin from attempting to resolve file paths.
  • Monitor npm package submissions and system logs for anomalous file read requests, and enforce restrictions on external package uploads until the patch is applied.

Generated by OpenCVE AI on May 28, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rg65-45m7-hq57 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
History

Sat, 30 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Esm-dev
Esm-dev esmsh
Vendors & Products Esm-dev
Esm-dev esmsh

Fri, 29 May 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
Title esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Esm-dev Esmsh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:31:19.208Z

Reserved: 2026-05-06T21:49:12.426Z

Link: CVE-2026-44594

cve-icon Vulnrichment

Updated: 2026-05-28T15:31:07.445Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T16:16:24.717

Modified: 2026-05-29T16:32:14.400

Link: CVE-2026-44594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:00:12Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')