Description

esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.

INFO

Published Date :

2026-01-18T22:49:29.676Z

Last Modified :

2026-01-20T20:06:58.947Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23644 vulnerability.

Vendors Products
Esm-dev
  • Esmsh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23644.

URL Resource
https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 cve-icon cve-icon
https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093 cve-icon cve-icon
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq cve-icon cve-icon
https://pkg.go.dev/vuln/GO-2025-4138 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability