Executive Summary

CVE-2026-44594 is a Local File Inclusion (LFI) vulnerability in the esm.sh server affecting versions 137 and below. It occurs due to improper handling of the `browser` field in the `package.json` file by the esbuild plugin. An attacker can publish a malicious npm package that uses path traversal sequences to remap module paths to arbitrary files on the server's filesystem. Because the server does not validate these remapped paths, the attacker can cause the server to read and return sensitive files during the build process.

This vulnerability allows unauthorized reading of files such as configuration files that may contain sensitive credentials like npm registry tokens and S3 storage keys. The file contents are exposed in the bundled JavaScript output and the source map's `sourcesContent` array. The attack requires no privileges or user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server, such as configuration files containing credentials and tokens. An attacker exploiting this flaw can read arbitrary files from the host filesystem during the build process, potentially exposing secrets that could be used for further attacks or unauthorized access.

Because the attack requires no privileges or user interaction, it poses a significant security risk. The exposure of sensitive data can compromise the security of the affected system and any connected services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the build process of esm.sh for unexpected file reads or outputs containing contents of sensitive files from the host filesystem.

Specifically, look for bundled JavaScript output or source maps that include file contents from paths outside the expected module directories.

Since the vulnerability is triggered by malicious npm packages with path traversal sequences in the `browser` field of package.json, inspecting package.json files for suspicious `browser` field entries containing sequences like `../../../../` can help detect attempts to exploit this issue.

Commands to assist detection might include:

• Using grep or similar tools to find path traversal patterns in package.json files: `grep -r '\.\./' path/to/packages/`
• Monitoring build output files for unexpected file contents, for example: `grep -r 'sensitive_keyword' build/output/` where `sensitive_keyword` could be known strings from config files.
• Using file integrity monitoring tools to detect unexpected changes or reads of sensitive files during the build process.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or monitoring the use of untrusted npm packages, especially those that specify the `browser` field in package.json.

Since no patches are currently available, it is recommended to implement path validation checks after the browser field remapping to ensure that resolved paths do not escape the intended directory.

Additionally, limit the permissions of the esm.sh build process to prevent unauthorized file reads and isolate the build environment to reduce potential impact.

Monitoring and alerting on unusual file access patterns during builds can also help detect exploitation attempts early.

Useful 0 Not Useful 0

Compliance Impact

The Local File Inclusion (LFI) vulnerability in esm.sh allows an attacker to read arbitrary files on the server, including sensitive configuration files that may contain credentials such as npm registry tokens and S3 storage keys.

This unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and integrity of personal and sensitive information.

Because the vulnerability exposes sensitive credentials without requiring privileges or user interaction, it increases the risk of data breaches and non-compliance with these standards.

Useful 0 Not Useful 0