CVE-2025-65025

Опубликовано: 19 нояб. 2025

Источник: nvd

CVSS3: 8.2

CVSS3: 9.8

EPSS Низкий

Описание

esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.

Ссылки

https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16
Patch
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw
Exploit
Vendor Advisory
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:esm:esm.sh:*:*:*:*:*:*:*:*

Версия до 136 (исключая)

EPSS

Процентиль: 12%

0.00042

Низкий

8.2 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-h3mw-4f23-gwpw

CVSS3: 8.2

github

3 месяца назад

esm.sh CDN service has arbitrary file write via tarslip

EPSS

Процентиль: 12%

0.00042

Низкий

8.2 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-22