CVE-2026-44594
esm.sh, a popular CDN for JavaScript development that eliminates the need for build processes, contains a vulnerability in how it processes package metadata. An attacker can publish a malicious npm package that tricks the esm.sh server into reading and exposing sensitive files from its own filesystem. This happens because the service doesn't properly validate how it interprets the 'browser' field in package.json during the build process. While the attacker cannot modify files or crash the service, they can gain unauthorized access to confidential data stored on esm.sh infrastructure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-44594 is a Local File Inclusion (CWE-22) vulnerability in esm.sh version 137 and earlier, affecting the esbuild plugin's package.json parser. When processing the 'browser' field—a standard npm package metadata field—the plugin fails to properly sanitize path inputs, allowing path traversal attacks. An attacker can craft a malicious npm package with a specially constructed 'browser' field value that causes the server to read arbitrary files from the host filesystem during the bundling process. The accessed file contents are returned to the attacker, enabling disclosure of configuration files, private keys, source code, or other sensitive data residing on the cdn's servers. The vulnerability requires no authentication and can be triggered remotely by publishing to npm.
Business impact
Organizations and developers relying on esm.sh for production JavaScript delivery face information disclosure risks. If an attacker successfully exploits this vulnerability, they could potentially access environment variables, API credentials, private keys, or proprietary source code stored on esm.sh's infrastructure. This could lead to lateral attacks against downstream customers, compromise of the supply chain, or theft of intellectual property. The impact extends to any project using esm.sh in its build or development workflow, as the malicious package can be introduced either directly or as a transitive dependency. However, the actual business impact depends on what sensitive data esm.sh stores on affected servers and whether attackers can correlate leaked information with specific organizations.
Affected systems
esm.sh version 137 and earlier are directly affected. The vulnerability is triggered during the package resolution and bundling phase, so any build or deployment process that uses esm.sh to resolve or serve npm packages is potentially vulnerable. Developers using esm.sh in development environments or as part of CI/CD pipelines may be at elevated risk, particularly if the pipeline runs on shared infrastructure. End users consuming JavaScript bundles *served* by esm.sh (not built locally with it) are not directly vulnerable, as the attack occurs server-side during the build process itself.
Exploitability
This vulnerability is relatively straightforward to exploit. An attacker needs only to publish a malicious package to npm—a public, free action—and wait for esm.sh to process it, either through direct requests or through dependency resolution. The attack requires no authentication, no user interaction, and network access is trivial for a public CDN. The only complexity lies in discovering which files exist on the target server and crafting effective path traversal payloads, but this is a well-understood technique. However, practical exploitation impact is somewhat mitigated by the attacker's uncertainty about what sensitive data actually resides on the server and whether leaked information is useful without additional context. Nonetheless, the CVSS score of 7.5 (HIGH) reflects the ease of exploitation and the severity of potential information disclosure.
Remediation
Upgrade esm.sh to a patched version released after version 137. Verify the exact patched version against the official esm.sh repository or security advisory. The remediation involves sanitizing and validating all path inputs derived from package.json fields, particularly the 'browser' field, to prevent path traversal attacks. Implement strict path resolution policies that confine file access to intended package directories and prevent traversal outside those boundaries. Additionally, consider implementing input validation on npm package metadata before processing.
Patch guidance
Check the official esm.sh GitHub repository for security advisories and available patches. Upgrade to the latest version released after CVE-2026-44594 was disclosed (post-May 28, 2026). If you operate an esm.sh deployment, prioritize updating the esbuild plugin and core bundling logic. For development teams using esm.sh: if you maintain your own esm.sh instance, apply patches immediately. If you rely on the public esm.sh service, verify that the upstream service has been patched by checking their status page or release notes. Consider using a version lock or dependency pinning strategy to prevent automatic pulls of malicious packages during the interim.
Detection guidance
Monitor esm.sh server logs for unusual file access patterns or path traversal attempts in package.json parsing. Look for requests containing '../' sequences or absolute path traversals in the 'browser' field of processed packages. If you operate esm.sh infrastructure, audit recent package processing events to identify potentially malicious payloads. On the npm side, security teams can monitor for packages with suspicious or obfuscated 'browser' field entries, especially newly published packages or those with unusual names. Implement runtime checks to alert when esm.sh attempts to read files outside expected package directories. Network-based detection is limited, as exploitation occurs during server-side bundling, but IDS/IPS rules detecting path traversal in HTTP request bodies may catch some variants.
Why prioritize this
Despite not being listed on CISA's KEV catalog, this vulnerability merits immediate prioritization due to its HIGH severity rating, ease of exploitation, and supply-chain implications. The attack surface is global—any organization or developer using esm.sh can be targeted without prior compromise or specialized access. The confidentiality impact is significant; an attacker can exfiltrate sensitive data from cdn infrastructure, potentially affecting multiple downstream users. While the attack requires publishing a malicious package, this is a low-barrier action. Organizations should prioritize patching esm.sh infrastructure and reviewing any sensitive data that might have been exposed.
Risk score, explained
The CVSS v3.1 score of 7.5 (HIGH) reflects: Attack Vector Network (AV:N) - remotely exploitable with no special network conditions; Attack Complexity Low (AC:L) - no special conditions or race conditions required; Privileges Required None (PR:N) - no authentication needed; User Interaction None (UI:N) - the exploit triggers automatically when esm.sh processes the malicious package; Scope Unchanged (S:U) - impact is confined to the vulnerable component; Confidentiality High (C:H) - arbitrary files can be read; Integrity None (I:N) - no ability to modify data; Availability None (A:N) - no denial-of-service impact. The score appropriately reflects that this is an information disclosure vulnerability with trivial exploitation but not the highest impact, as it does not enable code execution, lateral movement, or service disruption on its own.
Frequently asked questions
Can this vulnerability be exploited if I use esm.sh only to serve already-built JavaScript, not to build packages?
No. The vulnerability occurs during the server-side package resolution and bundling phase. If you are consuming pre-built JavaScript bundles served by esm.sh's CDN without triggering new builds on the server, you are not vulnerable. The attack requires the server to actively process a malicious package, which happens when esm.sh is asked to resolve or bundle a new package.
Is my npm account at risk if I use a package that esm.sh processed?
Not directly from this CVE. The vulnerability allows an attacker to read files *on the esm.sh server*, not on your local machine or npm account. However, if sensitive data was leaked from esm.sh servers (e.g., API keys that were stored there), those credentials could be compromised and used elsewhere. Review any credentials that esm.sh might have access to, such as private npm tokens or build secrets.
Do I need to do anything if I don't operate my own esm.sh instance?
If you use the public esm.sh service, monitor their security advisories and status page for confirmation that they have patched this vulnerability. If you run an internal or self-hosted esm.sh deployment, upgrade to the patched version immediately. If you build packages locally using esm.sh as a tool or dependency, update to the patched version as soon as practical.
Can an attacker use this to steal private packages or credentials from my organization?
Only if your organization stores sensitive data on an esm.sh server or if credentials are passed to esm.sh during builds. The vulnerability reads files from the esm.sh server's filesystem, not from your local environment. However, if your build process includes credentials in environment variables or config files that are then passed to esm.sh, or if sensitive data is stored on shared esm.sh infrastructure, there is a risk of disclosure. Review your build configuration and esm.sh deployment for any exposed secrets.
This analysis is based on publicly available vulnerability data and CVSS scoring guidance as of the publication date. Actual impact and exploitability may vary based on specific esm.sh deployment configurations, the sensitivity of data stored on affected servers, and organizational controls. Proof-of-concept code and detailed exploitation techniques are not included in this advisory. Organizations should verify patch availability and applicability against the official esm.sh repository and security advisories before implementing remediation. This document is provided for informational purposes and does not constitute professional security advice or guarantee of security posture. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Browse
Related vulnerabilities
- CVE-2018-25408HIGH
CVE-2018-25408: Open ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGH
CVE-2024-40646: Vertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGH
CVE-2026-10108: Unauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-32847HIGH
CVE-2026-32847: DeepCode Path Traversal Allows Unauthenticated Arbitrary File Read
- CVE-2026-35082HIGH
CVE-2026-35082: MBS Solutions Gateway Firmware Path Traversal - File Access Vulnerability
- CVE-2026-39276HIGH
CVE-2026-39276: Emlog Pro v2.6.9 Path Traversal Remote Code Execution
- CVE-2026-43624HIGH
CVE-2026-43624: F5-TTS Path Traversal Vulnerability (CVSS 8.2)
- CVE-2026-45017HIGH
CVE-2026-45017: Python Liquid Path Traversal Allows Arbitrary File Read