Plattform
go
Komponente
github.com/esm-dev/esm.sh
Behoben in
136.0.1
136.0.1
CVE-2025-59341 describes a File Inclusion vulnerability discovered in esm.sh, a JavaScript module loader. This flaw allows attackers to potentially include arbitrary files, which could lead to code execution and compromise of the system. The vulnerability impacts versions of esm.sh prior to 136.0.1, and a patch has been released to address the issue.
The File Inclusion vulnerability in esm.sh allows an attacker to control which files are included during the module loading process. By providing a malicious file path, an attacker could inject and execute arbitrary code within the context of the esm.sh environment. This could lead to a complete compromise of the system, including data exfiltration, denial of service, and further exploitation. The potential impact is significant, particularly in environments where esm.sh is used to load critical dependencies.
CVE-2025-59341 was published on 2025-09-24. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Applications and services that rely on esm.sh to load JavaScript modules are at risk. This includes projects using modern JavaScript build tools and frameworks. Developers who have integrated esm.sh into their workflows should prioritize upgrading to the patched version.
• go / server:
find /path/to/esm.sh -type f -name '*.go' -print0 | xargs -0 grep -i 'include' -A 5• generic web:
curl -I https://your-esm-sh-instance/path/to/vulnerable/file?file=../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.11% (30% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-59341 is to immediately upgrade to version 136.0.1 or later of esm.sh. If upgrading is not immediately feasible, consider implementing strict input validation and sanitization on any user-controlled data used in file paths within esm.sh configurations. Review and restrict access to sensitive files that could be targeted by this vulnerability. Monitor system logs for unusual file access patterns that might indicate exploitation attempts.
Actualice a una versión posterior a la 136 de esm.sh. Esto solucionará la vulnerabilidad de inclusión de archivos locales. Consulte el advisory de seguridad en GitHub para obtener más detalles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59341 is a File Inclusion vulnerability in esm.sh, allowing attackers to potentially include arbitrary files and execute malicious code. It is rated HIGH severity (CVSS 7.5).
You are affected if you are using esm.sh versions prior to 136.0.1. Assess your dependencies and upgrade immediately if vulnerable.
Upgrade to version 136.0.1 or later of esm.sh. If immediate upgrade is not possible, implement input validation and consider WAF rules.
No active exploitation has been confirmed as of this writing, but the vulnerability's nature suggests potential for exploitation.
Refer to the esm.sh project's repository and release notes for the official advisory and details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.