GHSA-67mh-4wv8-2f99
CORS settings vulnerability in esbuild (npm)

CORS settings No known exploit

What is GHSA-67mh-4wv8-2f99 About?

esbuild's development server uses default CORS settings that allow any website to send requests and read responses, leading to information disclosure. This vulnerability can result in the theft of source code or other sensitive data, and it is relatively easy to exploit by an attacker knowing a few simple steps.

Affected Software

esbuild <0.25.0

Technical Details

The esbuild development server by default sets the Access-Control-Allow-Origin: * header for all requests, including Server-Sent Events (SSE) connections. This misconfiguration bypasses the Same-Origin Policy (SOP), enabling a malicious website to make cross-origin requests to the development server and read the responses. An attacker can serve a malicious web page that, through JavaScript, fetches sensitive files (e.g., main.js, index.html, source map files) from the victim's local esbuild development server, which typically runs on http://127.0.0.1:8000. The attacker can discover file names by fetching common paths like /index.html or /assets, or by connecting to the /esbuild SSE endpoint which broadcasts changed file URLs. If source maps are enabled, the attacker can even retrieve non-compiled source code.

What is the Impact of GHSA-67mh-4wv8-2f99?

Successful exploitation may allow attackers to disclose sensitive information, such as application source code, configuration files, or other intellectual property, leading to data breaches or competitive disadvantages.

What is the Exploitability of GHSA-67mh-4wv8-2f99?

Exploitation is relatively straightforward and requires an attacker to host a malicious webpage. Prerequisites include the victim running an esbuild development server with default CORS settings and visiting the attacker's malicious webpage. Authentication is not required, as the vulnerability resides in the misconfigured CORS header. This is a remote attack where the victim's browser acts as a conduit. No special privileges are needed on the victim's system, only that the esbuild server is running. The likelihood of exploitation increases if developers frequently run esbuild development servers and browse the internet simultaneously.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-67mh-4wv8-2f99?

Available Upgrade Options

  • esbuild
    • <0.25.0 → Upgrade to 0.25.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-67mh-4wv8-2f99?

Similar Vulnerabilities: CVE-2018-XXXX , CVE-2019-XXXX , CVE-2020-XXXX , CVE-2021-XXXX , CVE-2022-XXXX

All Rights reserved 2025
Privacy Policy