CVE-2025-59341 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-59341 PUBLISHED CVSS 7.699999809265137 HIGH

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

EPSS 0.11% · 29.9th percentile

Risk Scores

CVSS v4.0

7.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS Score

0.11%

29.9th percentile

Affected Products

Vendor	Product	Versions
esm-dev	esm.sh	<= 136
github.com	esm-dev/esm.sh	0

Timeline

Jan 21, 1970 Security Advisory
Sep 17, 2025 CVE Published
Sep 18, 2025 EPSS Score
Sep 24, 2025 EPSS Score
Oct 1, 2025 EPSS Score
Oct 4, 2025 Coalition ESS Score
Oct 6, 2025 Coalition ESS Score
Oct 7, 2025 EPSS Score
Oct 14, 2025 EPSS Score
Oct 20, 2025 EPSS Score
Oct 27, 2025 EPSS Score
Oct 27, 2025 Coalition ESS Score

References

Open in Interactive Console →