CVE-2025-59341: 
vulnerability analysis and mitigation

A Local File Inclusion (LFI) vulnerability was discovered in esm.sh, a nobuild content delivery network (CDN) for modern web development, identified as CVE-2025-59341. The vulnerability was disclosed on September 17, 2025, affecting versions 136 and earlier of the esm.sh service. The issue lies in the URL handling mechanism where attackers could craft specific requests to access and retrieve files from the host filesystem (GitHub Advisory).

The vulnerability is classified as CWE-23 (Relative Path Traversal) and received a CVSS v4.0 score of 7.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P. The vulnerable code is located in the server/router.go file at line 1168, where the application directly opens files without properly sanitizing the file path input (GitHub Advisory).

The vulnerability allows attackers to read configuration files, private keys, environment files, and other sensitive files from the system. This can lead to the disclosure of secrets, credentials, and potentially enable further attacks through information leakage (GitHub Advisory).

The recommended remediation is to remove any '..' sequences in the URL path before processing the file. As of the disclosure date, no patched versions are available (GitHub Advisory).