esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/esm-dev/esm.sh(Go) | 0 | 0.0.0-20251117232647-9d77b88c3207 | N/A |
CVSS Metrics
