CVE-2025-59341 — Vulnetix

CVE-2025-59341 PUBLISHED CVSS 7.699999809265137 HIGH

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

EPSS 0.90% · 76.1th percentile

Risk Scores

CVSS 4.0

7.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS Score

0.90%

76.1th percentile

Affected Products

Vendor	Product	Versions
esm-dev	esm.sh	<= 136
github.com	esm-dev/esm.sh	0

Exploit Intelligence

CIRCL seen: CVE-2025-59341 (circl-sighting)
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r (circl)
https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168 (circl)
Nuclei Template: CVE-2025-59341 (nuclei-template)
Nuclei Template: CVE-2025-59341 (nuclei-template)
Nuclei Template: CVE-2025-59341 (nuclei-template)
Nuclei Template: CVE-2025-59341 (nuclei-template)
Nuclei Template: CVE-2025-59341 (nuclei-template)
Nuclei Template: CVE-2025-59341 (nuclei-template)
Nuclei Template: CVE-2025-59341 (nuclei-template)

…and 2 more exploits

Timeline

Jan 21, 1970 Security Advisory
Sep 17, 2025 CVE Published
Sep 18, 2025 EPSS Score
Sep 25, 2025 EPSS Score
Oct 2, 2025 EPSS Score
Oct 4, 2025 Coalition ESS Score
Oct 6, 2025 Coalition ESS Score
Oct 9, 2025 EPSS Score
Oct 16, 2025 EPSS Score
Oct 23, 2025 EPSS Score
Oct 27, 2025 Coalition ESS Score
Oct 30, 2025 EPSS Score

References

Open in Interactive Console →