← back
CVE-2025-59342

esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header

CVSS 5.5 MEDIUMEPSS 2.8%CWE-24
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
esm-dev · esm.sh
public PoCs found2
githubgithub.com/byteReaper77/CVE-2025-593421exploitdbwww.exploit-db.com/exploits/52461unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw