esbuild Deno Module Vulnerability Enables Remote Code Execution

What Happened

The esbuild Deno module (`lib/deno/mod.ts`) downloads native binary executables from an npm registry without performing integrity verification, such as SHA-256 hash checks. This allows an attacker who can control the `NPM_CONFIG_REGISTRY` environment variable to supply a malicious binary, leading to remote code execution with the privileges of the Deno process.

Who Is Affected

Users of the esbuild Deno module in CI/CD pipelines, shared development environments, or corporate networks with custom npm registries are affected.

Severity & Impact

The vulnerability enables arbitrary code execution, particularly relevant in environments where `NPM_CONFIG_REGISTRY` is commonly set. An attacker does not need to compromise the npm registry itself, only the environment variable or network path between the Deno process and the registry.

Mitigation

Suggested remediations include adding SHA-256 integrity verification to the Deno module, validating the `NPM_CONFIG_REGISTRY` URL to ensure HTTPS, and adding `ESBUILD_BINARY_PATH` validation.

esbuild Deno Module Vulnerability Enables Remote Code Execution

What Happened

Who Is Affected

Severity & Impact

Mitigation

Sources

More news posts

GitLab CVE-2026-10733 Vulnerability

PDM Vulnerability Allows Arbitrary Code Execution