{"id":"CVE-2025-59341","summary":"Local File Inclusion in esm.sh","details":"esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).","aliases":["GHSA-49pv-gwxp-532r","GO-2025-3962"],"modified":"2026-04-10T05:31:59.162790Z","published":"2025-09-17T17:55:25.827Z","related":["SUSE-SU-2025:3799-1","openSUSE-SU-2025:15576-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59341.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-23"]},"references":[{"type":"WEB","url":"https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59341.json"},{"type":"ADVISORY","url":"https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59341"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/esm-dev/esm.sh","events":[{"introduced":"0"},{"last_affected":"1ad31b6352bb0a064ece812f6f360e4850e16051"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"136"}]}}],"versions":["v100","v101","v102","v103","v104","v105","v106","v107","v108","v109","v110","v111","v112","v113","v114","v115","v116","v117","v119","v120","v121","v122","v123","v124","v125","v126","v127","v128","v129","v130","v131","v132","v133","v134","v135","v135_1","v136","v34","v35","v37","v38","v39","v40","v41","v43","v44","v45","v46","v47","v49","v50","v51","v52","v53","v55","v56","v57","v59","v60","v61","v62","v63","v64","v65","v66","v67","v68","v69","v70","v71","v72","v73","v74","v75","v76","v77","v78","v79","v80","v81","v82","v83","v84","v85","v86","v87","v88","v89","v90","v91","v92","v93","v94","v95","v96","v97","v98","v99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59341.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}]}