CVE-2025-65025: esm.sh CDN service has arbitrary file write via tarslip

The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory.

Uploading files containing ../ in the path is not allowed on official registries (npm, GitHub), but the X-Npmrc header allows specifying any arbitrary registry. By setting the registry to an attacker-controlled server via the X-Npmrc header, this vulnerability can be triggered.