CVE-2025-65025

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-65025

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-65025.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-65025

Aliases

GHSA-h3mw-4f23-gwpw

Published

2025-11-19T17:32:46.835Z

Modified

2025-11-22T13:06:50.832945Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

esm.sh CDN service has arbitrary file write via tarslip

Details

esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/esm-dev/esm.sh

Affected ranges

Type: GIT
Repo: https://github.com/esm-dev/esm.sh
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1ad31b6352bb0a064ece812f6f360e4850e16051

Affected versions

Other

v100

v101

v102

v103

v104

v105

v106

v107

v108

v109

v110

v111

v112

v113

v114

v115

v116

v117

v119

v120

v121

v122

v123

v124

v125

v126

v127

v128

v129

v130

v131

v132

v133

v134

v135

v135_1

v34

v35

v37

v38

v39

v40

v41

v43

v44

v45

v46

v47

v49

v50

v51

v52

v53

v55

v56

v57

v59

v60

v61

v62

v63

v64

v65

v66

v67

v68

v69

v70

v71

v72

v73

v74

v75

v76

v77

v78

v79

v80

v81

v82

v83

v84

v85

v86

v87

v88

v89

v90

v91

v92

v93

v94

v95

v96

v97

v98

v99