CVE-2026-23644
Path Traversal Vulnerability in esm.sh Allows Arbitrary File Access
Publication date: 2026-01-18
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esm | esm.sh | to 136 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23644 is a path traversal vulnerability in the esm.sh projectβs function extractPackageTarball. The vulnerability occurs because the function uses path.Clean to normalize file paths extracted from tarballs, but this does not prevent absolute paths or path traversal sequences like '../../../'. This allows an attacker to craft a malicious tarball that can write files outside the intended extraction directory, potentially overwriting files on the server. The issue was fixed by replacing path with filepath package functions, normalizing and sanitizing tarball entry names, and ensuring files are extracted only within the intended directory. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory on the server hosting esm.sh. This could lead to overwriting esm.sh configuration files, poisoning cached packages, and potentially enabling server-side code execution if the attacker can write to executable or script files. However, the default deployment mitigates some risks by enforcing file extension whitelists and running the service as a non-root user with limited write permissions. Despite these mitigations, in self-hosted or modified environments, the risk of code execution remains. [1, 3, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying malicious tarball files attempting path traversal during extraction. One approach is to inspect tarball contents for absolute paths or directory traversal sequences like '../'. For example, you can list tarball contents and check for suspicious paths using the command: `tar -tf suspicious-package.tar | grep -E '^/|\.\./'`. Additionally, monitoring file extraction logs or filesystem changes outside expected directories (e.g., outside the package directory) can help detect exploitation attempts. Since the vulnerability relates to tarball extraction in esm.sh, reviewing logs or audit trails for unexpected file writes outside the intended extraction directory is recommended. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating esm.sh to the fixed version that includes the patch at pseudoversion 0.0.0-20260116051925-c62ab83c589e or later, which replaces the vulnerable path handling with secure filepath operations and sanitization. If updating is not immediately possible, restrict or monitor tarball uploads and extractions to prevent malicious files with absolute or traversal paths. Also, ensure the extraction process runs with least privilege, limiting write permissions to only necessary directories. Applying the patch from commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 is critical to prevent arbitrary file writes outside the intended directory. [1, 3]