HIGHCVE-2025-59341CVSS 7.5

CVE-2025-59341: File Inclusion in esm.sh

Q: What is CVE-2025-59341 — File Inclusion in esm.sh?

CVE-2025-59341 is a File Inclusion vulnerability in esm.sh, allowing attackers to potentially include arbitrary files and execute malicious code. It is rated HIGH severity (CVSS 7.5).

Q: Am I affected by CVE-2025-59341 in esm.sh?

You are affected if you are using esm.sh versions prior to 136.0.1. Assess your dependencies and upgrade immediately if vulnerable.

Q: How do I fix CVE-2025-59341 in esm.sh?

Upgrade to version 136.0.1 or later of esm.sh. If immediate upgrade is not possible, implement input validation and consider WAF rules.

Q: Is CVE-2025-59341 being actively exploited?

No active exploitation has been confirmed as of this writing, but the vulnerability's nature suggests potential for exploitation.

Q: Where can I find the official esm.sh advisory for CVE-2025-59341?

Refer to the esm.sh project's repository and release notes for the official advisory and details on the fix.

Platform

Component

github.com/esm-dev/esm.sh

Fixed in

136.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-59341 describes a File Inclusion vulnerability discovered in esm.sh, a JavaScript module loader. This flaw allows attackers to potentially include arbitrary files, which could lead to code execution and compromise of the system. The vulnerability affects versions prior to 136.0.1, and a patch has been released to address the issue.

Impact and Attack Scenarios

The File Inclusion vulnerability in esm.sh allows an attacker to manipulate the file inclusion process, potentially leading to the execution of malicious code. By crafting a malicious request, an attacker could include arbitrary files from the server, overwriting existing code or injecting new code. This could result in complete system compromise, including data theft, modification, and denial of service. The impact is particularly severe because esm.sh is used to load JavaScript modules, meaning a successful exploit could affect a wide range of applications and services that rely on it.

Exploitation Context

CVE-2025-59341 was publicly disclosed on 2025-09-24. The vulnerability's severity is rated HIGH (CVSS 7.5). No public proof-of-concept (PoC) code has been released as of this writing, but the nature of the File Inclusion vulnerability suggests that exploitation is likely possible. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Reports1 threat report

EPSS

0.11% (30% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

Affected Software

Componentgithub.com/esm-dev/esm.sh

Vendorosv

Affected rangeFixed in

<= 136 – <= 136136.0.1

136136.0.1

Weakness Classification (CWE)

CWE-23

Timeline

Reserved2025-09-12
Published2025-09-24
Modified2026-03-03
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-59341 is to upgrade to version 136.0.1 or later of esm.sh. If immediate upgrade is not possible, consider implementing input validation and sanitization on any user-supplied data used in file inclusion paths. Web application firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a temporary layer of protection. Monitor system logs for unusual file access patterns or attempts to include unexpected files.

How to fix

Actualice a una versión posterior a la 136 de esm.sh. Esto solucionará la vulnerabilidad de inclusión de archivos locales. Consulte el advisory de seguridad en GitHub para obtener más detalles.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-59341 — File Inclusion in esm.sh?