esbuild Development Server CORS Vulnerability (GHSA-67mh-4wv8-2f99) Exposes Local Servers to Cross-Site Attacks

A critical security vulnerability in the popular JavaScript bundler esbuild exposes its development server to cross-origin attacks. The flaw, tracked as GHSA-67mh-4wv8-2f99, stems from the server's default CORS (Cross-Origin Resource Sharing) configuration, which sets the `Access-Control-Allow-Origin` header to a wildcard (`*`) for all requests, including Server-Sent Events (SSE) connections. This misconfiguration effectively allows any malicious website visited by a developer to send arbitrary requests to the local esbuild development server and read the responses, bypassing the browser's same-origin policy.

The vulnerability is present in versions prior to the patched release, esbuild ^0.25.0. The issue was identified in the source code where the permissive header is applied universally. This creates a significant risk for developers running the esbuild dev server locally, as an attacker could potentially exfiltrate sensitive data, interact with the local API, or probe the development environment from a compromised or malicious webpage.

The fix, included in the minor version update, involves tightening the CORS policy to restrict cross-origin requests appropriately. The GitHub security advisory and associated pull requests highlight the active effort to remediate the issue. This incident underscores the persistent security risks in developer tooling and local server configurations, where overly permissive defaults can create unintended attack surfaces. Developers are urged to update their esbuild dependency immediately to mitigate the risk of this client-side exploitation vector.