CVE-2025-65026 is a code injection vulnerability classified under CWE-94 affecting esm.sh, a no-build CDN service widely used for modern web development. The vulnerability arises from esm.sh's CSS-to-JavaScript module conversion feature, which, prior to version 136, embeds CSS content directly into JavaScript template literals without proper sanitization. When a CSS file is requested with the ?module query parameter, esm.sh converts it into a JavaScript module by wrapping the CSS content inside a template literal. However, this process fails to neutralize embedded JavaScript expressions using the ${...} syntax, allowing attackers to inject arbitrary JavaScript code. This malicious code executes when the module is imported by victim applications, enabling Cross-Site Scripting (XSS) attacks in browsers. Furthermore, in Electron applications that import these modules, the injected code can lead to Remote Code Execution (RCE), posing a significant risk to desktop applications built on Electron. The vulnerability is exploitable remotely over the network without requiring authentication, but user interaction is necessary to import the malicious module. The issue was publicly disclosed and patched in esm.sh version 136. The CVSS 3.1 base score of 6.1 reflects a medium severity, considering the attack vector is network-based, the attack complexity is low, no privileges are required, but user interaction is needed, and the impact affects confidentiality and integrity partially but not availability. No known exploits are currently reported in the wild. This vulnerability highlights the risks of improper code generation and sanitization in dynamic module conversion services, especially those serving web and Electron application ecosystems.

For European organizations, this vulnerability poses a moderate risk primarily to web applications and Electron-based desktop applications that rely on esm.sh CDN for module delivery. Successful exploitation can lead to XSS attacks in browsers, potentially allowing attackers to steal user credentials, session tokens, or perform actions on behalf of users. In Electron apps, the risk escalates to remote code execution, which can compromise the host system, leading to data theft, persistence, or lateral movement within corporate networks. Organizations in sectors with high reliance on modern web development frameworks and Electron apps—such as fintech, software development, and digital services—are particularly vulnerable. The medium severity score indicates that while the vulnerability is exploitable remotely and without privileges, it requires user interaction, somewhat limiting mass exploitation. However, targeted attacks against European enterprises using esm.sh could result in significant confidentiality and integrity breaches, impacting customer trust and regulatory compliance, especially under GDPR. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

European organizations should immediately upgrade esm.sh dependencies to version 136 or later to apply the official patch. They should audit their use of esm.sh CDN, particularly any CSS modules imported with the ?module parameter, to identify and remove potentially malicious or untrusted CSS files. Implementing Content Security Policy (CSP) headers that restrict script execution sources can help mitigate XSS risks. For Electron applications, developers should enforce strict validation and sanitization of all imported modules and consider sandboxing techniques to limit code execution privileges. Monitoring network traffic for unusual requests to esm.sh endpoints and employing runtime application self-protection (RASP) can detect and block exploitation attempts. Additionally, educating developers about the risks of dynamic code generation and template literal injection can prevent similar vulnerabilities. Organizations should also maintain an inventory of third-party dependencies and CDN usage to quickly respond to future vulnerabilities.