Description

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.

INFO

Published Date :

2025-09-17T17:59:34.163Z

Last Modified :

2026-01-14T15:52:09.174Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59342 vulnerability.

Vendors Products
Esm-dev
  • Esmsh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59342.

URL Resource
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 cve-icon cve-icon
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 cve-icon cve-icon
https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151 cve-icon cve-icon
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability