esm.sh Local File Inclusion Vulnerability in esbuild Plugin

A Local File Inclusion (LFI) vulnerability has been identified in esm.sh, a no-build content delivery network (CDN) for web development, affecting versions through 137. The issue arises in the esbuild plugin's management of the browser field in package.json. An attacker can publish a malicious npm package that tricks the server into reading and returning arbitrary files from the host filesystem during the build process.

Impact

Exploitation of this vulnerability allows attackers to read sensitive files from the server, such as the esm.sh config.json, which may contain npm registry authentication tokens and S3 storage credentials.

Reproduction

To reproduce this vulnerability, publish an npm package with a package.json file that includes a browser field remapping module paths to attacker-controlled values with '../' sequences. Once the package is published, request it from an esm.sh instance. The server will respond with the contents of the files specified in the browser field, including sensitive system files.

Remediation

It is recommended to add a path validation check after the browser field remapping to prevent path traversal. The vulnerability can be addressed by ensuring that the resolved file paths do not escape the package working directory.