Dependabot Flags esbuild CORS Vulnerability (GHSA-67mh-4wv8-2f99), Exposing Dev Server Source Code

A moderate-severity security vulnerability in the widely used `esbuild` bundler has been flagged by GitHub's Dependabot, exposing development servers to potential source code exfiltration. The flaw, tracked as GHSA-67mh-4wv8-2f99, stems from esbuild's development server incorrectly setting a permissive `Access-Control-Allow-Origin: *` header on all responses. This misconfiguration allows any malicious website visited by a developer to send requests directly to the local development server running on `http://127.0.0.1:<port>/` and read the responses, potentially leaking compiled code and sensitive source maps.

The vulnerability affects esbuild versions `<= 0.24.2` and has been patched in version `0.25.0`. In the flagged instance, the vulnerable `[email protected]` is installed as a transitive dependency via `[email protected]`, a popular frontend build tool. The attack vector is specific to the development environment: an attacker could craft a malicious site that, when visited by a developer with a local esbuild dev server running, silently fetches and exfiltrates project files. This creates a direct path for intellectual property theft and code analysis.

While the immediate risk assessment for this specific project is noted as low—since esbuild is only used during development via Vite—the vulnerability highlights a systemic supply chain risk. Any project using an unpatched version of esbuild, Vite, or tools that depend on it for local development is potentially exposed. The fix requires upgrading the esbuild dependency to `>= 0.25.0`. This incident underscores the persistent threat of development tooling becoming an attack surface, where seemingly low-risk dev servers can serve as gateways for compromising proprietary code before it even reaches production.