CVE-2026-23644
Unknown Unknown - Not Provided
Path Traversal Vulnerability in esm.sh Allows Arbitrary File Access

Publication date: 2026-01-18

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23644
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
esm esm.sh to 136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23644 is a path traversal vulnerability in the esm.sh project’s function extractPackageTarball. The vulnerability occurs because the function uses path.Clean to normalize file paths extracted from tarballs, but this does not prevent absolute paths or path traversal sequences like '../../../'. This allows an attacker to craft a malicious tarball that can write files outside the intended extraction directory, potentially overwriting files on the server. The issue was fixed by replacing path with filepath package functions, normalizing and sanitizing tarball entry names, and ensuring files are extracted only within the intended directory. [1, 3]

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory on the server hosting esm.sh. This could lead to overwriting esm.sh configuration files, poisoning cached packages, and potentially enabling server-side code execution if the attacker can write to executable or script files. However, the default deployment mitigates some risks by enforcing file extension whitelists and running the service as a non-root user with limited write permissions. Despite these mitigations, in self-hosted or modified environments, the risk of code execution remains. [1, 3, 2]

Detection Guidance

Detection of this vulnerability involves identifying malicious tarball files attempting path traversal during extraction. One approach is to inspect tarball contents for absolute paths or directory traversal sequences like '../'. For example, you can list tarball contents and check for suspicious paths using the command: `tar -tf suspicious-package.tar | grep -E '^/|\.\./'`. Additionally, monitoring file extraction logs or filesystem changes outside expected directories (e.g., outside the package directory) can help detect exploitation attempts. Since the vulnerability relates to tarball extraction in esm.sh, reviewing logs or audit trails for unexpected file writes outside the intended extraction directory is recommended. [1, 3]

Mitigation Strategies

Immediate mitigation steps include updating esm.sh to the fixed version that includes the patch at pseudoversion 0.0.0-20260116051925-c62ab83c589e or later, which replaces the vulnerable path handling with secure filepath operations and sanitization. If updating is not immediately possible, restrict or monitor tarball uploads and extractions to prevent malicious files with absolute or traversal paths. Also, ensure the extraction process runs with least privilege, limiting write permissions to only necessary directories. Applying the patch from commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 is critical to prevent arbitrary file writes outside the intended directory. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart