Attack Chain

1. An attacker crafts a malicious npm package containing a package.json file.
2. The package.json includes a browser field that remaps local module paths to paths outside the intended package directory using ../ sequences.
3. The attacker publishes the malicious package to the npm registry. The package name is chess-sec-utils1, version 1.0.6.
4. A user (or automated system) requests the malicious package (e.g., chess-sec-utils1@1.0.6) from an esm.sh instance.
5. The esm.sh server’s esbuild plugin resolves module paths during the build process.
6. The plugin uses the browser field remapping, which replaces the validated module path with the attacker-controlled path.
7. The server reads the file specified in the remapped path from its filesystem, subject to esbuild’s loader selection (e.g., .json, .txt, .js).
8. The contents of the file are included in the generated JavaScript bundle and/or the source map (sourcesContent array), which is then served to the user.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files from the esm.sh server. This includes the config.json file, which may contain sensitive data such as npm registry authentication tokens and S3 storage credentials. The exposure of these credentials could allow the attacker to compromise the esm.sh infrastructure or gain unauthorized access to other resources. The proof of concept shows reading /etc/hostname, /etc/os-release and /etc/environment.

Recommendation

• Apply the patch suggested by the advisory to add a path validation check after the browser field remapping to prevent path traversal (reference: advisory content).
• Monitor npm package installations for packages with suspicious browser field entries containing ../ sequences (reference: advisory content).
• Deploy the Sigma rule to detect requests to esm.sh for packages that attempt path traversal (reference: the Sigma rule).
• Update go/github.com/esm-dev/esm.sh to a version >= 0.0.0-20250616164159-0593516c4cfa.