CVE-2025-59342
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the applicationβs storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esm-dev | esm.sh | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-24 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. |
