GHSA-g7r4-m6w7-qqqr: esbuild allows arbitrary file read when running the development server on Windows

June 12, 2026

The development server contains a path traversal vulnerability on Windows when serving files from servedir.

Due to the use of path.Clean() (which only normalizes forward-slash / separators) instead of a Windows-aware path normalization function, it is possible to craft requests using backslashes (\) that bypass the intended directory containment logic. An attacker can escape the configured servedir root and access arbitrary files on the filesystem. This issue affects Windows environments only.

References

github.com/advisories/GHSA-g7r4-m6w7-qqqr
github.com/evanw/esbuild/releases/tag/v0.28.1
github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr

Code Behaviors & Features

Detect and mitigate GHSA-g7r4-m6w7-qqqr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →