CVE-2026-44593
Arbitrary File Write in esm.sh CDN
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esm.sh | esm.sh | to 137 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44593 is a critical vulnerability in the esm.sh package (versions earlier than 137) involving a path traversal flaw in the legacy router component.
The legacy router retrieves a response from legacyServer and parses the incoming request path, then concatenates path components without sanitizing them, producing a storage key.
Because the storage key is not sanitized, the underlying file system resolves relative path segments, allowing an attacker to craft a request that writes data to arbitrary locations on the server.
This can be exploited by sending malicious URLs with encoded path traversal sequences (e.g., '..%2f'), enabling an attacker to overwrite critical files such as binaries or scripts.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the affected server.
An attacker can write arbitrary files to any location on the server where the application has write permissions, potentially overwriting critical system files.
This could result in privilege escalation and full system compromise, allowing attackers to control the server and execute malicious code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP requests containing encoded path traversal sequences such as '..%2f' or similar patterns in URLs targeting the esm.sh legacy router.
Network detection can involve inspecting web server logs or using tools like grep to search for these encoded traversal patterns in request paths.
- Example command to search web server logs for suspicious requests: grep -iE '\.\.%2[fF]' /var/log/nginx/access.log
- Use curl or similar tools to test if the server improperly handles path traversal sequences by sending crafted requests with encoded '..%2f' in the URL.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the esm.sh legacy router to trusted users or networks to prevent exploitation.
Since no patched versions are currently available, consider disabling or removing the legacy router component if possible.
Implement web application firewall (WAF) rules to block requests containing encoded path traversal sequences such as '..%2f'.
Monitor logs closely for any signs of exploitation attempts and prepare to respond to potential incidents.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to write arbitrary files to any location on the server, potentially leading to remote code execution and full system compromise.
Such unauthorized access and control over the system could result in exposure or manipulation of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.
Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches and failure to maintain system integrity and confidentiality.