GHSA-G7R4-M6W7-QQQR: GHSA-G7R4-M6W7-QQQR: Path Traversal and Arbitrary File Read in esbuild Development Server on Windows

GHSA-G7R4-M6W7-QQQR: Path Traversal and Arbitrary File Read in esbuild Development Server on Windows

Vulnerability ID: GHSA-G7R4-M6W7-QQQR
CVSS Score: 7.5
Published: 2026-06-12

Improper validation of backslash character separators in esbuild's local development server allows path traversal on Windows systems.

TL;DR

The esbuild local development server on Windows is vulnerable to arbitrary file read due to a path traversal flaw caused by improper backslash normalization.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-22
• Attack Vector: Network (HTTP)
• CVSS v3.1 Score: 7.5 (High)
• Exploit Status: PoC Available
• Patch Version: 0.28.1
• Affected OS: Windows

Affected Systems

• esbuild development server running on Windows hosts
• esbuild: < 0.28.1 (Fixed in: 0.28.1)

Exploit Details

• GitHub Advisory: No description

Mitigation Strategies

• Upgrade esbuild to version 0.28.1 or higher
• Restrict server host binding to 127.0.0.1 (localhost)
• Validate incoming HTTP path parameters strictly in front-end configurations

Remediation Steps:

1. Identify all instances of esbuild within development packages (package.json, package-lock.json).
2. Run 'npm install esbuild@0.28.1' or the equivalent for your package manager to update the dependency.
3. Verify that esbuild.serve() configures the 'host' property explicitly to '127.0.0.1'.
4. Restart development server environments and verify that backslash-based traversal requests are rejected with a 400 Bad Request status.

References

• GitHub Advisory GHSA-G7R4-M6W7-QQQR
• esbuild Security Advisory Details
• esbuild Release Tag 0.28.1
• v0.28.0 to v0.28.1 Code Comparison

---

Read the full report for GHSA-G7R4-M6W7-QQQR on our website for more details including interactive diagrams and full exploit analysis.