Esbuild Development Server Vulnerability (GHSA-67mh-4wv8-2f99): Default CORS Policy Exposes Servers to Cross-Site Attacks

A medium-severity security vulnerability in the widely-used JavaScript bundler esbuild exposes development servers to cross-origin attacks. The flaw, tracked as GHSA-67mh-4wv8-2f99, stems from the tool's default CORS (Cross-Origin Resource Sharing) configuration. Specifically, esbuild's development server automatically sets the `Access-Control-Allow-Origin: *` header on all responses, including Server-Sent Events (SSE) connections. This permissive policy effectively allows any website visited by a user to send arbitrary requests to a locally running esbuild development server and read the responses, bypassing the browser's same-origin security policy.

The vulnerability is present in esbuild versions prior to 0.25.0. The issue was identified in the source code where the CORS header is applied indiscriminately. This creates a significant risk for developers running the esbuild serve command locally, as malicious scripts from other browser tabs or windows could interact with their development environment. The fixed version, 0.25.0, addresses this by implementing more restrictive CORS settings.

For development teams, this finding underscores the hidden risks in developer tooling and local server configurations. While the impact is confined to the local development context and rated as MEDIUM, it represents a tangible vector for data exfiltration or manipulation during the build and test phase. Projects using esbuild versions below 0.25.0, especially in environments where developers browse the web while running local servers, are advised to upgrade immediately to mitigate this cross-site request forgery (CSRF) and information disclosure risk.