CVE-2025-65026
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esm.sh | cdn | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is a Template Literal Injection (CWE-94) in esm.sh's CSS-to-JavaScript module conversion. When a CSS file is requested with the ?module parameter, esm.sh converts it into a JavaScript module by embedding the CSS content inside a template literal without proper sanitization. This allows an attacker to inject malicious JavaScript code using ${...} expressions within CSS files, which executes when the module is imported by victim applications.
How can this vulnerability impact me? :
This vulnerability can lead to Cross-Site Scripting (XSS) attacks in browsers and Remote Code Execution (RCE) in Electron applications. An attacker can execute arbitrary JavaScript code in the context of the victim application, potentially compromising user data, session tokens, or the application environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade esm.sh CDN service to version 136 or later, where the Template Literal Injection vulnerability has been patched.