5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-67mh-4wv8-2f99

GHSA-67mh-4wv8-2f99: esbuild enables any website to send any requests to the development server and read the response

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

Fetching /index.html: normally you have a script tag here
Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC

Download reproduction.zip
Extract it and move to that directory
Run npm i
Run npm run watch
Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

Impact

Users using the serve feature may get the source code stolen by malicious websites.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-67mh-4wv8-2f99

GHSA-67mh-4wv8-2f99:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
esbuild	npm	<= 0.24.2	0.25.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the esbuild development server setting the Access-Control-Allow-Origin: * header for all requests, including the SSE connection. This allows any website to make requests to the development server and read the responses. The provided commit patch de85afd65edec9ebc44a11e245fd9e9a2e99760d directly addresses this by removing the overly permissive CORS header and adding host checking.

The ServeHTTP function in pkg/api/serve_other.go was responsible for handling general HTTP requests and previously set this header. The patch removed this line and added host validation logic.

The serveEventStream function in the same file was responsible for the SSE endpoint and also previously set this permissive header, which was removed in the patch.

Both functions are methods of the apiHandler struct. Therefore, these two functions are identified as the vulnerable functions as they were directly involved in setting the insecure CORS policy that led to the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-67mh-4wv8-2f99: esbuild enables any website to send any requests to the development server and read the response

Summary

Details

PoC

Impact

GHSA-67mh-4wv8-2f99:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

5.3

5.3

GHSA-67mh-4wv8-2f99: esbuild enables any website to send any requests to the development server and read the response

Summary

Details

PoC

Impact

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-67mh-4wv8-2f99: esbuild enables any website to send any requests to the development server and read the response

Summary

Details

PoC

Impact

GHSA-67mh-4wv8-2f99:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability IntelligenceMiggo AI

5.3

5.3

GHSA-67mh-4wv8-2f99: esbuild enables any website to send any requests to the development server and read the response

Summary

Details

PoC

Impact

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI