Summary
esbuild's development server (versions 0.27.3 up to but not including 0.28.1) allows arbitrary file read on Windows: a crafted request path can escape the served directory and read files elsewhere on disk. It affects the development server only, not production builds, but anyone running `esbuild --serve` on Windows is exposed to any local or networked attacker who can reach the server.
How to fix it
- Upgrade `esbuild` to 0.28.1 or later, which fixes the dev-server path handling.
- Until you upgrade, do not expose the esbuild dev server beyond localhost, and run it only behind a trusted network boundary.
How to avoid it in your code
- Never expose development servers to untrusted networks; bind them to localhost and put them behind a VPN or firewall if remote access is genuinely needed.
- Keep build tooling updated; dev-server file-serving bugs are common and only matter while the server is reachable.
- Treat the development server as untrusted infrastructure, kept separate from anything that holds secrets.
References
Related vulnerabilities
All Supply chain →- CRITICALCVE-2024-23897
CVE-2024-23897 was a critical arbitrary file read vulnerability in the Jenkins automation server, identified by Sonar's Vulnerability Research and disclosed in the Jenkins security advisory on January 24, 2024, affecting Jenkins weekly up to 2.441 and LTS up to 2.426.2. Jenkins parses built-in CLI command arguments with the args4j library, whose expandAtFiles feature is enabled by default and replaces an argument that begins with an @ character followed by a file path with the contents of that file; because Jenkins never disabled this, an attacker could pass @/path/to/file as a CLI argument to make the controller read and disclose files from its filesystem. Unauthenticated attackers could read the first few lines of arbitrary files, while attackers with Overall/Read permission could read entire files, enabling theft of secrets, SSH keys, and credentials. The leaked binary secret keys could then be chained into full remote code execution by forging Remember-me cookies, abusing Resource Root URLs, bypassing CSRF protection, or decrypting stored secrets. The flaw was added to the CISA KEV catalog on August 19, 2024 and was actively exploited, including by the RansomEXX ransomware gang and the actor IntelBroker, and was linked to breaches at BORN Group and Brontoo Technology Solutions.
- HIGHCVE-2022-24348
CVE-2022-24348 was a high-severity (CVSS 7.7) path traversal vulnerability in Argo CD, the GitOps continuous delivery tool for Kubernetes, discovered by Apiiro and disclosed in early February 2022, affecting Argo CD before 2.1.9 and 2.2.x before 2.2.4. An attacker with permission to create or update Argo CD applications could craft a malicious Kubernetes Helm chart whose values file was a symbolic link pointing outside the repository root, or pass arbitrary values files, so that when Argo CD's Helm chart processing dereferenced the link it read files belonging to other applications on the repo server. This broke the multi-tenant isolation boundary of the CD layer, letting the attacker exfiltrate sensitive data from neighboring tenants, including secrets in encrypted value files decrypted to disk by plugins such as git-crypt or SOPS, and use verbose Helm error messages to enumerate the filesystem. The issue was fixed in Argo CD 2.1.9, 2.2.4, and 2.3.0; it was treated as a zero-day at disclosure but was not associated with named ransomware operators.
- CRITICALCVE-2026-54352
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
- HIGHGHSA-74p7-6h78-gw8p
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery
- MEDIUMCVE-2026-44517
Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive
- MEDIUMCVE-2026-31978
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint