Login Sign Up

CVE-2025-65026

6.1 MEDIUM
Remote Code Execution Cross-Site Scripting

📋 TL;DR

CVE-2025-65026 is a template literal injection vulnerability in esm.sh's CSS-to-JavaScript conversion feature that allows attackers to inject malicious JavaScript code via CSS files. When exploited, this enables Cross-Site Scripting (XSS) in web browsers and Remote Code Execution (RCE) in Electron applications. Anyone using esm.sh versions before 136 to serve CSS files with the ?module parameter is affected.

💻 Affected Systems

Products:
  • esm.sh CDN service
Versions: All versions prior to 136
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects CSS files requested with ?module query parameter for JavaScript module conversion.

📦 What is this software?

Esm.sh by Esm

View all CVEs affecting Esm.sh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution in Electron applications, allowing complete system compromise and data exfiltration.

🟠

Likely Case

Cross-site scripting attacks in web browsers, enabling session hijacking, credential theft, and client-side attacks.

🟢

If Mitigated

Limited impact with proper content security policies and input validation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker to control or inject malicious CSS content that gets processed by esm.sh.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 136

Vendor Advisory: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp

Restart Required: No

Instructions:

1. Update esm.sh to version 136 or later. 2. If using self-hosted esm.sh, pull latest code and redeploy. 3. Clear any cached CSS modules from CDN.

🔧 Temporary Workarounds

Disable CSS module conversion

all

Avoid using ?module parameter for CSS files to prevent template literal injection.

Implement CSP headers

all

Add strict Content Security Policy headers to limit script execution.

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for CSS content before processing.
  • Use alternative CDN services or serve CSS files directly without esm.sh conversion.

🔍 How to Verify

Check if Vulnerable:

Check if esm.sh version is below 136 and if CSS files are served with ?module parameter.

Check Version:

Check esm.sh response headers or API endpoint for version information.

Verify Fix Applied:

Confirm esm.sh version is 136 or higher and test CSS module conversion with malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSS file requests with template literal patterns
  • Multiple failed injection attempts

Network Indicators:

  • HTTP requests to esm.sh with CSS files containing ${...} patterns
  • Unexpected JavaScript execution from CSS modules

SIEM Query:

source="esm.sh" AND (uri="*.css?module" OR body="${*}")

📊 Metadata

CVE ID: CVE-2025-65026
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-94
EPSS Score: 0.02% exploit probability (6th percentile)
Published: November 19, 2025
Last Updated: January 15, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65026, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)