PT-2025-38247 · Esm Dev · Esm.Sh

Published

2025-09-17

Updated

2025-09-17

CVE-2025-59341

CVSS v4.0

7.7

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

Fix

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23

Related Identifiers

CVE-2025-59341

Affected Products

Esm.Sh

PT-2025-38247 · Esm Dev · Esm.Sh

Weakness Enumeration

Related Identifiers

Affected Products

References · 4