js · esbuildHeads-up
esbuild dev server path traversal on Windows
The esbuild development server on Windows has a path traversal vulnerability.
What changed
The esbuild development server on Windows has a path traversal vulnerability. Using path.Clean() instead of a Windows-aware path normalization allows attackers to use backslashes to escape the servedir and read arbitrary files.
Who it affects
Windows users running esbuild's development server with --servedir.
What to do today
Update esbuild to a patched version once available, or avoid using the development server on Windows with --servedir until a fix is released.
The trail
Collected→
Audited→
Written→
Published