CVE-2025-59341
Published: 17 September 2025
Summary
CVE-2025-59341 is a high-severity Relative Path Traversal (CWE-23) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 23.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
esm.sh, a nobuild CDN for modern web development, contains a Local File Inclusion vulnerability in versions 136 and earlier. The flaw resides in service URL handling and stems from improper path validation (CWE-23), allowing crafted requests to cause the server to read and return arbitrary files from the host filesystem or other unintended sources.
An unauthenticated remote attacker can exploit the issue over the network by submitting specially formed requests, resulting in disclosure of sensitive host files with no impact on integrity or availability. The CVSS 4.0 score of 7.7 reflects the high confidentiality exposure combined with low attack complexity and no required privileges or user interaction.
The associated GitHub security advisory GHSA-49pv-gwxp-532r and the referenced router.go source provide further technical detail on the affected code path. EPSS scores remain low, with a recorded peak of only 0.0156.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29745
Vulnerability details
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to…
more
read and return files from the host filesystem (or other unintended file sources).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.