J3Ssie

**Name of the Vulnerable Software and Affected Versions** esm.sh versions prior to 136 **Description** A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem or other unintended file sources. The vulnerable code is located in `router.go` at line 1168. An attacker can exploit this by sending a crafted request to read local files, such as `/etc/passwd` or `esm.db`. The vulnerability is triggered by including `..` in the URL path. **Recommendations** Remove any `..` in the URL path before processing the file.

**Name of the Vulnerable Software and Affected Versions** esm.sh versions 136 and earlier **Description** A path-traversal flaw exists in the handling of the `X-Zone-Id` HTTP header. The header value is used to construct a filesystem path without proper sanitization or restriction to the application’s storage directory. Supplying `../` sequences in the `X-Zone-Id` header allows an attacker to write files to arbitrary directories. The vulnerable code is located in `router.go` at lines 116 and 411. This can lead to arbitrary file creation or overwriting outside the intended storage directory, potentially enabling remote code execution, persistence, or tampering with application files. **Recommendations** Remove any `..` sequences from the `X-Zone-Id` header before processing the file.