2 matches found
CVE-2025-59341
esm.sh is a nobuild content delivery networkCDN for modern web development. In 136 and earlier, a Local File Inclusion LFI issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem or other...
CVE-2025-59342
esm.sh (nobuild CDN) has a path traversal flaw via the X-Zone-Id header that allows writing files outside the intended storage directory. The issue affects version 136 and earlier; the header is used to build a filesystem path without proper canonicalization or storage-base confinement, enabling ...