esm.sh Template Literal Injection Vulnerability Allowing Cross-Site Scripting and Remote Code Execution

A template literal injection vulnerability has been identified in the esm.sh content delivery network, prior to version 136. This vulnerability arises in the CSS-to-JavaScript module conversion feature, where CSS content is embedded into a template literal without proper sanitization. An attacker can inject malicious JavaScript using `${...}` expressions in CSS files, which will execute when the module is imported by the victim's application. This flaw enables cross-site scripting (XSS) in web browsers and remote code execution (RCE) in Electron applications.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript, which can lead to remote code execution, particularly in Electron applications.

Reproduction

To reproduce this vulnerability, upload a CSS file containing a `${...}` expression, such as `${alert(1)}`, to a package on a fake npm registry. Then, request the CSS file through the esm.sh CDN with the `?module` query parameter. The injected JavaScript will execute when the module is imported in a browser or an Electron application.

Remediation

Users are advised to update to esm.sh version 136 or later, where this vulnerability has been patched.