PatchSiren cyber security CVE debrief
CVE-2026-44594 esm-dev CVE debrief
esm.sh is a no-build CDN for web development that transpiles and serves npm packages directly to browsers. In version 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker can publish a malicious npm package with a crafted `browser` field that causes the server to read and return arbitrary files from the host filesystem during the build process. This vulnerability allows unauthenticated remote attackers to exfiltrate sensitive files from the esm.sh server infrastructure. The issue was disclosed via GitHub Security Advisory and received by NVD on 2026-05-28. The CVSS 3.1 score of 7.5 (HIGH) reflects network accessibility, low attack complexity, no required privileges or user interaction, and high confidentiality impact with no integrity or availability impact. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
- Vendor
- esm-dev
- Product
- esm.sh
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations operating private esm.sh instances, developers relying on esm.sh for production dependencies, security teams monitoring supply chain risks, and infrastructure operators hosting esm.sh services should prioritize patching and implementing compensating controls.
Technical summary
The vulnerability exists in esm.sh's esbuild plugin when processing the `browser` field in `package.json`. This field is typically used to specify browser-specific module replacements, but improper sanitization allows path traversal sequences to escape intended directories. When a malicious package is requested for transpilation, the server resolves the crafted path and reads arbitrary files from the underlying filesystem, returning their contents in the build output. The attack requires publishing a package to npm (or referencing one) and triggering a build request to esm.sh, with no authentication required.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade esm.sh to version 138 or later to remediate the LFI vulnerability
- Review and restrict npm package publishing permissions to trusted maintainers
- Implement path traversal detection and sandboxing in build pipeline file resolution
- Monitor server filesystem access logs for anomalous read patterns during package builds
- Audit published packages for suspicious browser field configurations
- Apply principle of least privilege to esm.sh server processes to limit filesystem exposure
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. CVSS vector and score confirmed from NVD data. CWE-22 classification confirmed from source metadata. GitHub Security Advisory GHSA-rg65-45m7-hq57 identified as primary disclosure source. Vendor status marked as unknown/needs review per source corpus.
Official resources
-
CVE-2026-44594 CVE record
CVE.org
-
CVE-2026-44594 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28