CVE-2025-59342
- Source
- https://cve.org/CVERecord?id=CVE-2025-59342
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59342.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-59342
- Aliases
- Downstream
- Related
- Published
- 2025-09-17T17:59:34.163Z
- Modified
- 2026-01-30T02:40:34.299816Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header
- Details
-
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
- Database specific
{ "cwe_ids": [ "CWE-24" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59342.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59342.json
- https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116
- https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
- https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151
- https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
- https://nvd.nist.gov/vuln/detail/CVE-2025-59342
Affected packages
Git / github.com/esm-dev/esm.sh
Affected ranges
- Type
- GIT
- Repo
- https://github.com/esm-dev/esm.sh
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
v100
v101
v102
v103
v104
v105
v106
v107
v108
v109
v110
v111
v112
v113
v114
v115
v116
v117
v119
v120
v121
v122
v123
v124
v125
v126
v127
v128
v129
v130
v131
v132
v133
v134
v135
v135_1
v136
v34
v35
v37
v38
v39
v40
v41
v43
v44
v45
v46
v47
v49
v50
v51
v52
v53
v55
v56
v57
v59
v60
v61
v62
v63
v64
v65
v66
v67
v68
v69
v70
v71
v72
v73
v74
v75
v76
v77
v78
v79
v80
v81
v82
v83
v84
v85
v86
v87
v88
v89
v90
v91
v92
v93
v94
v95
v96
v97
v98
v99