esmsh, Path Traversal, CVE-2025-59342 (Medium)

Listen to this Post

How CVE-2025-59342 works:

The vulnerability exists in how esm.sh handles the X-Zone-Id HTTP header and processes NPM tarballs. Specifically, a path-traversal flaw allows an attacker to cause the application to write files outside the intended storage location.
By crafting a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js), an attacker can escape the intended extraction directory. When esm.sh downloads and extracts such a package, the files may be written to arbitrary locations on the server.
For example, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. A crafted request like:
http://ESM_SH_HOST/v111/[email protected]/esnext/..%2f..%2f..%2fgh//exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned
results in a storage key that, when normalized, resolves to /tmp/pwned. The server then writes the content of foo.md to that arbitrary path.
By repeating this pattern, an attacker can overwrite critical binaries or scripts on the server, paving the way for remote code execution.
The issue was discovered by splitline (@splitline) from DEVCORE Research Team and patched in version 136.

dailycve form:

Platform: esm.sh
Version: <136 Vulnerability : Path Traversal Severity: Medium (5.5) date: 2025-09-17

Prediction: patch released

Analytics under What Undercode Say:

Identify vulnerable version
curl -I https://esm.sh/v136/react | grep "X-Powered-By"
List installed packages for audit
npm list --depth=0 | grep esm.sh
Check for malicious tarball extraction artifacts
find /tmp -type f -name ".js" -exec grep -l "malicious" {} \;
Verify ‘X-Zone-Id’ header injection simulation
curl -H "X-Zone-Id: ../../../tmp/pwned" https://esm.sh/react
Remediation: Update to patched version 136
npm update esm.sh

Exploit:

An attacker crafts a malicious NPM package with file paths containing ‘../’ sequences. When esm.sh downloads and extracts this package, files are written to arbitrary locations on the server, escaping the intended extraction directory. This can lead to remote code execution.

Protection from this CVE:

Update esm.sh to version 136 or later. Avoid processing untrusted NPM packages. Implement strict input validation and sanitization of ‘X-Zone-Id’ header. Use a Web Application Firewall (WAF) to block path traversal attempts. Regularly audit file system writes.

Impact:

Arbitrary File Write: An attacker can cause the server to write data to any file path it has write permission for. Privilege Escalation / Remote Code Execution: By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. This can lead to full system compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top