{"uuid": "7b2aacaf-94f5-4d5a-8483-977e473dd057", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-G7R4-M6W7-QQQR", "type": "seen", "source": "https://gist.github.com/alon710/174a230087452badddd6537b27864239", "content": "# GHSA-G7R4-M6W7-QQQR: GHSA-G7R4-M6W7-QQQR: Path Traversal and Arbitrary File Read in esbuild Development Server on Windows\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-12\n> **Full Report:** https://cvereports.com/reports/GHSA-G7R4-M6W7-QQQR\n\n## Summary\nImproper validation of backslash character separators in esbuild's local development server allows path traversal on Windows systems.\n\n## TL;DR\nThe esbuild local development server on Windows is vulnerable to arbitrary file read due to a path traversal flaw caused by improper backslash normalization.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-22\n- **Attack Vector**: Network (HTTP)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **Exploit Status**: PoC Available\n- **Patch Version**: 0.28.1\n- **Affected OS**: Windows\n\n## Affected Systems\n\n- esbuild development server running on Windows hosts\n- **esbuild**: < 0.28.1 (Fixed in: `0.28.1`)\n\n## Mitigation\n\n- Upgrade esbuild to version 0.28.1 or higher\n- Restrict server host binding to 127.0.0.1 (localhost)\n- Validate incoming HTTP path parameters strictly in front-end configurations\n\n**Remediation Steps:**\n1. Identify all instances of esbuild within development packages (package.json, package-lock.json).\n2. Run 'npm install esbuild@0.28.1' or the equivalent for your package manager to update the dependency.\n3. Verify that esbuild.serve() configures the 'host' property explicitly to '127.0.0.1'.\n4. Restart development server environments and verify that backslash-based traversal requests are rejected with a 400 Bad Request status.\n\n## References\n\n- [GitHub Advisory GHSA-G7R4-M6W7-QQQR](https://github.com/advisories/GHSA-G7R4-M6W7-QQQR)\n- [esbuild Security Advisory Details](https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr)\n- [esbuild Release Tag 0.28.1](https://github.com/evanw/esbuild/releases/tag/v0.28.1)\n- [v0.28.0 to v0.28.1 Code Comparison](https://github.com/evanw/esbuild/compare/v0.28.0...v0.28.1)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-G7R4-M6W7-QQQR) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T13:41:17.000000Z"}