CVE-2025-59342: esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
(updated )
A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).
Severity: Medium
Component / Endpoint:
POST /transform — handling of X-Zone-Id header
The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
Impact: Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.
References
- github.com/advisories/GHSA-g2h5-cvvr-7gmw
- github.com/esm-dev/esm.sh
- github.com/esm-dev/esm.sh/blob/main/server/router.go
- github.com/esm-dev/esm.sh/blob/main/server/router.go
- github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151
- github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
- nvd.nist.gov/vuln/detail/CVE-2025-59342
- pkg.go.dev/vuln/GO-2025-3967
Code Behaviors & Features
Detect and mitigate CVE-2025-59342 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →