CVE-2025-65026 in esm.sh
Summary
by MITRE • 11/19/2025
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/15/2026
The vulnerability identified as CVE-2025-65026 represents a critical template literal injection flaw within the esm.sh content delivery network service that operates as a nobuild CDN for modern web development. This vulnerability specifically manifests in the CSS-to-JavaScript module conversion feature that processes CSS files when the ?module query parameter is utilized. The service transforms CSS content into JavaScript modules by directly embedding the CSS content within template literals without implementing proper input sanitization or validation mechanisms. This design flaw creates a direct pathway for malicious code injection through the CSS file processing pipeline, fundamentally undermining the security assumptions of the CDN service.
The technical exploitation of this vulnerability relies on the inherent characteristics of JavaScript template literals and how they handle expression interpolation through the ${...} syntax. When attackers craft malicious CSS files containing template literal expressions, these expressions become executable JavaScript code during the module conversion process. The vulnerability falls under CWE-94, which specifically addresses the execution of arbitrary code through the injection of untrusted data into interpreted code contexts. The attack vector becomes particularly dangerous because CSS files can be served through legitimate CDN endpoints, making the injection appear as part of normal web content delivery. This allows attackers to bypass traditional security controls that might not inspect CSS content for executable code patterns.
The operational impact of this vulnerability extends beyond simple cross-site scripting to include potential remote code execution in Electron applications, significantly amplifying the threat surface. When victim applications import the compromised JavaScript modules, the injected code executes in the browser context, enabling XSS attacks that can steal session cookies, manipulate DOM elements, or redirect users to malicious sites. In Electron applications, which combine web technologies with native system access, the implications become more severe as the injected JavaScript code can potentially access the underlying operating system through Node.js integration, leading to full system compromise. This vulnerability affects the entire ecosystem of applications relying on esm.sh for module delivery, creating a widespread attack surface that could be exploited across multiple domains and applications simultaneously.
The remediation for this vulnerability required implementing proper input sanitization and output encoding mechanisms within the CSS-to-JavaScript conversion process. Version 136 of esm.sh addressed this issue by ensuring that CSS content is properly escaped or filtered before being embedded into template literals, preventing the interpretation of malicious expressions as executable code. Security best practices recommend that any code generation process involving untrusted input should employ strict sanitization techniques, including the use of context-appropriate escaping mechanisms for the target language. Organizations utilizing esm.sh should immediately upgrade to version 136 or later and conduct thorough security assessments of their applications to identify any potential exploitation attempts. The vulnerability also highlights the importance of considering the security implications of content conversion services and the need for comprehensive input validation across all data transformation pipelines. This incident aligns with ATT&CK techniques related to code injection and privilege escalation, emphasizing the critical need for secure coding practices in CDN and module delivery systems.