CVE-2026-44593
Deferred Deferred - Pending Action
Arbitrary File Write in esm.sh CDN

Publication date: 2026-05-28

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-44593
EUVD
EUVD-2026-32910
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
esm.sh esm.sh to 137 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44593 is a critical vulnerability in the esm.sh package (versions earlier than 137) involving a path traversal flaw in the legacy router component.

The legacy router retrieves a response from legacyServer and parses the incoming request path, then concatenates path components without sanitizing them, producing a storage key.

Because the storage key is not sanitized, the underlying file system resolves relative path segments, allowing an attacker to craft a request that writes data to arbitrary locations on the server.

This can be exploited by sending malicious URLs with encoded path traversal sequences (e.g., '..%2f'), enabling an attacker to overwrite critical files such as binaries or scripts.

Compliance Impact

The vulnerability allows an attacker to write arbitrary files to any location on the server, potentially leading to remote code execution and full system compromise.

Such unauthorized access and control over the system could result in exposure or manipulation of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches and failure to maintain system integrity and confidentiality.

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on the affected server.

An attacker can write arbitrary files to any location on the server where the application has write permissions, potentially overwriting critical system files.

This could result in privilege escalation and full system compromise, allowing attackers to control the server and execute malicious code.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests containing encoded path traversal sequences such as '..%2f' or similar patterns in URLs targeting the esm.sh legacy router.

Network detection can involve inspecting web server logs or using tools like grep to search for these encoded traversal patterns in request paths.

  • Example command to search web server logs for suspicious requests: grep -iE '\.\.%2[fF]' /var/log/nginx/access.log
  • Use curl or similar tools to test if the server improperly handles path traversal sequences by sending crafted requests with encoded '..%2f' in the URL.
Mitigation Strategies

Immediate mitigation steps include restricting access to the esm.sh legacy router to trusted users or networks to prevent exploitation.

Since no patched versions are currently available, consider disabling or removing the legacy router component if possible.

Implement web application firewall (WAF) rules to block requests containing encoded path traversal sequences such as '..%2f'.

Monitor logs closely for any signs of exploitation attempts and prepare to respond to potential incidents.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44593. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart