Cyber Resilience

CVE-2025-59341

High

Published: 17 September 2025

Published
17 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0090 76.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59341 is a high-severity Relative Path Traversal (CWE-23) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, ranked in the top 23.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

esm.sh, a nobuild CDN for modern web development, contains a Local File Inclusion vulnerability in versions 136 and earlier. The flaw resides in service URL handling and stems from improper path validation (CWE-23), allowing crafted requests to cause the server to read and return arbitrary files from the host filesystem or other unintended sources.

An unauthenticated remote attacker can exploit the issue over the network by submitting specially formed requests, resulting in disclosure of sensitive host files with no impact on integrity or availability. The CVSS 4.0 score of 7.7 reflects the high confidentiality exposure combined with low attack complexity and no required privileges or user interaction.

The associated GitHub security advisory GHSA-49pv-gwxp-532r and the referenced router.go source provide further technical detail on the affected code path. EPSS scores remain low, with a recorded peak of only 0.0156.

EU & UK References

Vulnerability details

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to…

more

read and return files from the host filesystem (or other unintended file sources).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References