{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/esbuild/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["esm.sh"],"_cs_severities":["high"],"_cs_tags":["path traversal","local file inclusion","npm","esbuild"],"_cs_type":"advisory","_cs_vendors":["esm-dev"],"content_html":"\u003cp\u003eA local file inclusion (LFI) vulnerability, tracked as CVE-2026-44594, has been identified in esm.sh, specifically in the esbuild plugin\u0026rsquo;s handling of the \u003ccode\u003ebrowser\u003c/code\u003e field within \u003ccode\u003epackage.json\u003c/code\u003e files. An attacker can exploit this flaw by publishing a malicious npm package. This package, when processed by the esm.sh server during a build, allows the attacker to read arbitrary files from the server\u0026rsquo;s filesystem. The vulnerability arises because the \u003ccode\u003ebrowser\u003c/code\u003e field remaps module paths to attacker-controlled values with \u003ccode\u003e../\u003c/code\u003e sequences, bypassing validation checks. The issue affects versions prior to commit 0593516c4cfa. Successful exploitation can lead to the exposure of sensitive information such as npm registry authentication tokens and S3 storage credentials stored in the esm.sh \u003ccode\u003econfig.json\u003c/code\u003e file.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious npm package containing a \u003ccode\u003epackage.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epackage.json\u003c/code\u003e includes a \u003ccode\u003ebrowser\u003c/code\u003e field that remaps local module paths to paths outside the intended package directory using \u003ccode\u003e../\u003c/code\u003e sequences.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes the malicious package to the npm registry. The package name is chess-sec-utils1, version 1.0.6.\u003c/li\u003e\n\u003cli\u003eA user (or automated system) requests the malicious package (e.g., \u003ccode\u003echess-sec-utils1@1.0.6\u003c/code\u003e) from an esm.sh instance.\u003c/li\u003e\n\u003cli\u003eThe esm.sh server\u0026rsquo;s esbuild plugin resolves module paths during the build process.\u003c/li\u003e\n\u003cli\u003eThe plugin uses the \u003ccode\u003ebrowser\u003c/code\u003e field remapping, which replaces the validated module path with the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe server reads the file specified in the remapped path from its filesystem, subject to esbuild\u0026rsquo;s loader selection (e.g., \u003ccode\u003e.json\u003c/code\u003e, \u003ccode\u003e.txt\u003c/code\u003e, \u003ccode\u003e.js\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe contents of the file are included in the generated JavaScript bundle and/or the source map (\u003ccode\u003esourcesContent\u003c/code\u003e array), which is then served to the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files from the esm.sh server. This includes the \u003ccode\u003econfig.json\u003c/code\u003e file, which may contain sensitive data such as npm registry authentication tokens and S3 storage credentials. The exposure of these credentials could allow the attacker to compromise the esm.sh infrastructure or gain unauthorized access to other resources. The proof of concept shows reading /etc/hostname, /etc/os-release and /etc/environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch suggested by the advisory to add a path validation check after the \u003ccode\u003ebrowser\u003c/code\u003e field remapping to prevent path traversal (reference: advisory content).\u003c/li\u003e\n\u003cli\u003eMonitor npm package installations for packages with suspicious \u003ccode\u003ebrowser\u003c/code\u003e field entries containing \u003ccode\u003e../\u003c/code\u003e sequences (reference: advisory content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect requests to esm.sh for packages that attempt path traversal (reference: the Sigma rule).\u003c/li\u003e\n\u003cli\u003eUpdate \u003ccode\u003ego/github.com/esm-dev/esm.sh\u003c/code\u003e to a version \u0026gt;= 0.0.0-20250616164159-0593516c4cfa.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:25:25Z","date_published":"2026-05-12T22:25:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-esmsh-path-traversal/","summary":"A local file inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json` within esm.sh, allowing an attacker to publish a malicious npm package that causes the server to read arbitrary files from the host filesystem.","title":"esm.sh Path Traversal Vulnerability via package.json Browser Field","url":"https://feed.craftedsignal.io/briefs/2026-05-esmsh-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Esbuild","version":"https://jsonfeed.org/version/1.1"}