Overview
CVE-2025-65026 describes a template literal injection vulnerability found in esm.sh, a nobuild content delivery network (CDN) for modern web development. This vulnerability, present in versions prior to 136, allows attackers to inject malicious JavaScript code into CSS files that are processed and served by the CDN. By crafting specially designed CSS files containing JavaScript injection payloads, attackers can achieve Cross-Site Scripting (XSS) in browsers and potentially Remote Code Execution (RCE) in Electron applications that rely on the vulnerable CDN.
Technical Details
The vulnerability lies in the CSS-to-JavaScript module conversion feature of esm.sh. When a CSS file is requested with the ?module query parameter, esm.sh converts the CSS content into a JavaScript module. This conversion involves embedding the CSS content directly into a template literal without proper sanitization of user-supplied CSS. An attacker can exploit this by inserting ${...} expressions, containing malicious JavaScript, within the CSS file. When this generated JavaScript module is imported and executed by a client application, the injected JavaScript code will execute in the client’s context.
For example, a malicious CSS file could contain:
body {
background-color: red;
content: "${alert('XSS Vulnerability!')}";
}
When esm.sh processes this CSS file with the ?module parameter, it will create a JavaScript module containing the injected code, leading to XSS when the module is imported.
CVSS Analysis
- CVE ID: CVE-2025-65026
- Severity: MEDIUM
- CVSS Score: 6.1
A CVSS score of 6.1 indicates a medium severity vulnerability. This score takes into account the potential for exploitation, the scope of impact (XSS/RCE), and the privileges required to exploit the vulnerability.
Possible Impact
The exploitation of CVE-2025-65026 can lead to several severe consequences:
- Cross-Site Scripting (XSS): Attackers can inject malicious scripts into the context of the victim’s browser, allowing them to steal cookies, redirect users to malicious websites, or deface the web application.
- Remote Code Execution (RCE) in Electron Applications: If the vulnerable esm.sh CDN is used in Electron applications, successful exploitation could lead to RCE, allowing attackers to execute arbitrary code on the user’s machine.
- Data Breach: By stealing session cookies or injecting keyloggers, attackers can potentially gain access to sensitive user data.
Mitigation or Patch Steps
The vulnerability has been patched in esm.sh version 136. The recommended mitigation is to upgrade to version 136 or later immediately.
- Upgrade esm.sh: Ensure your application is using esm.sh version 136 or higher.
- Review CSS Files: Carefully review any CSS files hosted on esm.sh for suspicious code patterns, especially if they are dynamically generated or user-supplied.
- Content Security Policy (CSP): Implement a strong Content Security Policy to mitigate the impact of potential XSS attacks. CSP can help prevent the execution of injected JavaScript.
