6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65026

CVE-2025-65026: esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65026

CVE-2025-65026:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/esm-dev/esm.sh	go	< 0.0.0-20251118065157-87d2f6497574	0.0.0-20251118065157-87d2f6497574

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a template literal injection in the esm.sh CDN service, specifically within the feature that converts CSS to a JavaScript module. The provided description and the fixing commit 87d2f6497574bf4448641a5527a3ac2beba5fd6c clearly point to the esmRouter function in server/router.go as the location of the vulnerable code. The patch shows the removal of a code block that directly wrote CSS content into a JavaScript template literal without proper sanitization. The vulnerable code path was taken when the CSS content did not contain a backtick. An attacker could exploit this by crafting a CSS file containing a malicious JavaScript payload within a ${...} expression. The fix involves always JSON-encoding the CSS content before embedding it in the JavaScript response, thus neutralizing the injection vector. Therefore, esmRouter is the vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65026: esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

CVE-2025-65026:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-65026: esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

6.1

6.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI