Description

esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.

INFO

Published Date :

2025-11-19T17:32:46.835Z

Last Modified :

2025-11-20T14:09:44.277Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-65025 vulnerability.

Vendors Products
Esm
  • Esm.sh
Esm-dev
  • Esmsh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-65025.

URL Resource
https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 cve-icon cve-icon
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact