CVE-2025-59342

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.

CVSS

No CVSS.

References

Link	Resource
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw

Configurations

No configuration.

History

14 Jan 2026, 16:15

Type	Values Removed	Values Added
References		() https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151 -
Summary		(es) esm.sh es una red de entrega de contenido (CDN) sin compilación para el desarrollo web moderno. En 136 y anteriores, una falla de path traversal en el manejo del encabezado HTTP X-Zone-Id permite a un atacante hacer que la aplicación escriba archivos fuera de la ubicación de almacenamiento prevista. El valor del encabezado se utiliza para construir una ruta del sistema de archivos, pero no se canonicaliza correctamente ni se restringe al directorio base de almacenamiento de la aplicación. Como resultado, suministrar secuencias ../ en X-Zone-Id hace que los archivos se escriban en directorios arbitrarios.
Summary	(en) esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories.	(en) esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.

17 Sep 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-17 18:15

Updated : 2026-01-14 16:15

NVD link : CVE-2025-59342

Mitre link : CVE-2025-59342

CVE.ORG link : CVE-2025-59342

JSON object : View

Products Affected

No product.

CWE

CWE-24

Path Traversal: '../filedir'

JSON object

Attach tags to CVE-2025-59342

Attach tags to `CVE-2025-59342`