Threat Advisory

esm.sh Path Traversal Vulnerability Uncovers Improper Server File Visibility

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-44594 with a CVSS score of 7.5 is a Path Traversal vulnerability in the esm.sh package. The vulnerability exists in the esbuild plugin's handling of the browser field in package.json, allowing an attacker to publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. An attacker can exploit this vulnerability by publishing a malicious package with a carefully crafted browser field, requiring access to publish an npm package. This allows the attacker to read sensitive files from the server, including configuration files, log files, and other sensitive data. The business impact and consequences of exploitation include unauthorized access to sensitive information, potentially leading to data breaches, unauthorized modifications, or other malicious activities. The exploitation of this vulnerability is possible without authentication, and the attacker gains the capability to read arbitrary server files.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-44594 with a CVSS score of 7.5 is a Path Traversal vulnerability in the esm.sh package. The vulnerability exists in the esbuild plugin's handling of the browser field in package.json, allowing an attacker to publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. An attacker can exploit this vulnerability by publishing a malicious package with a carefully crafted browser field, requiring access to publish an npm package. This allows the attacker to read sensitive files from the server, including configuration files, log files, and other sensitive data. The business impact and consequences of exploitation include unauthorized access to sensitive information, potentially leading to data breaches, unauthorized modifications, or other malicious activities. The exploitation of this vulnerability is possible without authentication, and the attacker gains the capability to read arbitrary server files.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update github.com/esm-dev/esm.sh to below version: https://github.com/advisories/GHSA-rg65-45m7-hq57

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-rg65-45m7-hq57

[/emaillocker]
crossmenu