CVE-2025-65025 – CVE-2025-65025 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-65025?

CVE-2025-65025 has a CVSS score of 8.2 (HIGH). CVE-2025-65025 is a path traversal vulnerability in esm.sh CDN service that allows attackers to write files to arbitrary server locations during NPM package extraction. This affects all users of esm.sh versions prior to 136. An attacker can exploit this by uploading a malicious NPM package with crafted file paths.

📋 TL;DR

CVE-2025-65025 is a path traversal vulnerability in esm.sh CDN service that allows attackers to write files to arbitrary server locations during NPM package extraction. This affects all users of esm.sh versions prior to 136. An attacker can exploit this by uploading a malicious NPM package with crafted file paths.

💻 Affected Systems

Products:

esm.sh CDN service

Versions: All versions prior to 136

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the esm.sh service itself, not client applications using it.

📦 What is this software?

Esm.sh by Esm

View all CVEs affecting Esm.sh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through arbitrary file write leading to remote code execution, data exfiltration, or service disruption.

🟠

Likely Case

Unauthorized file writes to sensitive directories, potentially enabling further attacks or data manipulation.

🟢

If Mitigated

Limited impact if proper file system permissions and sandboxing prevent writes to critical locations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires uploading a malicious NPM package to esm.sh, which is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 136

Vendor Advisory: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw

Restart Required: Yes

Instructions:

1. Update esm.sh to version 136 or later. 2. Restart the esm.sh service. 3. Verify the fix by checking the version and testing package extraction.

🔧 Temporary Workarounds

Temporary service disable

linux

Disable esm.sh service until patched to prevent exploitation.

systemctl stop esm.sh
service esm.sh stop

🧯 If You Can't Patch

Implement strict file system permissions to limit write access to critical directories.
Monitor for unusual file creation patterns in server logs and file systems.

🔍 How to Verify

Check if Vulnerable:

Check esm.sh version; if below 136, it is vulnerable.

Check Version:

curl -s https://esm.sh/version or check service logs for version info

Verify Fix Applied:

Confirm esm.sh version is 136 or higher and test with a benign NPM package containing path traversal attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual file write patterns outside expected directories
Failed path traversal attempts in extraction logs

Network Indicators:

Suspicious NPM package uploads to esm.sh endpoint

SIEM Query:

source="esm.sh" AND (event="file_write" AND path="*../*")

📊 Metadata

CVE ID: CVE-2025-65025

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-22

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: November 19, 2025

Last Updated: January 15, 2026

🔗 References

https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 Patch
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw Exploit,Vendor Advisory
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65025, you might also want to check these: