esm.sh is a no-build CDN service widely used in modern web development to serve JavaScript and CSS modules. Prior to version 136, esm.sh contained a critical flaw in its CSS-to-JavaScript module conversion process. When a CSS file is requested with the ?module query parameter, esm.sh converts the CSS into a JavaScript module by embedding the CSS content inside a JavaScript template literal. However, this embedding lacked proper sanitization against template literal injection (CWE-94). Specifically, an attacker can craft CSS files containing malicious JavaScript expressions using the ${...} syntax inside the template literal. When a vulnerable esm.sh module is imported by a victim application, the injected JavaScript executes in the context of the importing environment. In web browsers, this results in Cross-Site Scripting (XSS), potentially allowing attackers to steal cookies, perform actions on behalf of users, or manipulate the DOM. In Electron applications, which run JavaScript with elevated privileges, this vulnerability escalates to Remote Code Execution (RCE), enabling attackers to execute arbitrary code on the victim’s machine. The vulnerability is remotely exploitable without authentication but requires user interaction (importing the malicious module). The CVSS 3.1 score of 6.1 reflects medium severity, considering network attack vector, low attack complexity, no privileges required, but user interaction needed. No known exploits are currently reported in the wild. The issue was patched in esm.sh version 136 by implementing proper sanitization of CSS content before embedding it into JavaScript template literals.

For European organizations, this vulnerability poses significant risks especially for those relying on esm.sh CDN for delivering frontend assets or developing Electron-based desktop applications. Exploitation can lead to XSS attacks on web applications, compromising user data confidentiality and integrity, and potentially damaging brand reputation. In Electron apps, the impact is more severe, as RCE can lead to full system compromise, data theft, or lateral movement within corporate networks. Organizations with public-facing web portals or distributed Electron apps are particularly vulnerable. The medium CVSS score indicates moderate risk, but the potential for RCE in Electron environments elevates the threat level for affected desktop applications. This vulnerability could be leveraged in targeted attacks or supply chain compromises, impacting sectors such as finance, healthcare, and critical infrastructure where Electron apps are used. Additionally, the cross-site scripting vector can facilitate phishing or session hijacking campaigns against European users.

1. Immediately upgrade esm.sh usage to version 136 or later where the vulnerability is patched. 2. Audit all CSS files imported as modules via esm.sh for suspicious ${...} expressions or untrusted content. 3. Implement Content Security Policy (CSP) headers to restrict script execution origins and mitigate XSS impact. 4. For Electron applications, ensure strict validation and sanitization of all imported modules and consider sandboxing untrusted content. 5. Monitor network traffic and logs for unusual requests to esm.sh with ?module parameters containing suspicious payloads. 6. Educate developers about the risks of importing CSS as JavaScript modules without sanitization. 7. Consider using alternative CDNs or local hosting of CSS modules if immediate upgrade is not feasible. 8. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect exploitation attempts.