GO-2025-3967
- Source
- https://pkg.go.dev/vuln/GO-2025-3967
- Import Source
- https://vuln.go.dev/ID/GO-2025-3967.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GO-2025-3967
- Aliases
- Published
- 2025-09-24T19:21:37Z
- Modified
- 2025-09-24T20:12:19.756535Z
- Summary
- esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh
- Details
-
esm.sh has arbitrary file write via path traversal in
X-Zone-Idheader in github.com/esm-dev/esm.sh - Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2025-3967", "review_status": "UNREVIEWED" }- References
-
- https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
- https://nvd.nist.gov/vuln/detail/CVE-2025-59342
- https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151
- https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116
- https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
Affected packages
Go / github.com/esm-dev/esm.sh
Package
- Name
- github.com/esm-dev/esm.sh
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/esm-dev/esm.sh