esm.sh Local File Inclusion Vulnerability

A local file inclusion (LFI) vulnerability has been identified in esm.sh, a no-build content delivery network (CDN) for modern web development. This issue affects versions through 136. The vulnerability arises from the service's URL handling, allowing an attacker to craft a request that prompts the server to read and return files from the host filesystem or other unintended file sources. Such exploitation could lead to the disclosure of sensitive information, including configuration files, private keys, and environment files, potentially enabling further attacks.

Impact

Exploitation of this vulnerability allows for unauthorized reading of local files, such as the database file esm.db or system files like /etc/passwd, leading to information leakage that could facilitate additional attacks.

Reproduction

To reproduce this vulnerability, first run the esm.sh server with a default configuration file that includes an npm token. Once the server is running, send a request to the server's URL path that includes a crafted file path traversal sequence. This request can be made using curl, specifying a target file such as /etc/passwd or the esm.db database file.

Remediation

It is recommended to validate and sanitize URL paths by removing any '..' sequences before processing file requests. More guidance on input validation can be found in the OWASP Input Validation Cheat Sheet.