GHSA-GV7W-RQVM-QJHR: Remote Code Execution via Missing Binary Integrity Verification in esbuild Deno Integration
Vulnerability ID: GHSA-GV7W-RQVM-QJHR
CVSS Score: 8.1
Published: 2026-06-12
An issue was discovered in the Deno integration of the esbuild package. The module fails to verify the integrity of downloaded native binary packages from NPM registries before writing and executing them on the local filesystem. This allows an attacker who controls the NPM_CONFIG_REGISTRY environment variable or intercepts the network connection to execute arbitrary native code on the host machine.
TL;DR
Missing binary integrity verification in esbuild's Deno installer allows unauthenticated remote code execution via a poisoned registry configuration.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-494, CWE-426
- Attack Vector: Network / Local Environment Manipulation
- CVSS Score: 8.1 (High)
- Exploit Status: Proof of Concept (PoC) available
- CISA KEV Status: Not Listed
- Impact: Remote Code Execution (RCE)
Affected Systems
- esbuild (Deno module)
-
esbuild (Deno module): >= 0.17.0, < 0.28.1 (Fixed in:
0.28.1)
Mitigation Strategies
- Upgrade esbuild to version 0.28.1 or higher.
- Avoid running Deno with --allow-all or --allow-run flags unless absolutely necessary.
- Enforce strict network egress controls and audit environment variable manipulation.
Remediation Steps:
- Identify all projects importing esbuild via Deno module paths.
- Update the import URLs or dependency locks to specify esbuild version 0.28.1 or higher.
- Restrict the run permissions of Deno tasks in CI/CD pipelines to block unauthorized native execution.
References
Read the full report for GHSA-GV7W-RQVM-QJHR on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)