CVE-2026-23644
📋 TL;DR
A path traversal vulnerability in esm.sh CDN allows attackers to write arbitrary files outside intended directories by exploiting absolute paths in malicious tar archives. This affects all users of esm.sh versions prior to pseudoversion 0.0.0-20260116051925-c62ab83c589e. The vulnerability stems from an incomplete fix where path.Clean normalizes paths but doesn't prevent absolute path exploitation.
💻 Affected Systems
- esm.sh
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via arbitrary file write, potentially leading to complete system compromise, data exfiltration, or service disruption.
Likely Case
Arbitrary file write allowing attackers to overwrite critical files, inject malicious code, or disrupt service functionality.
If Mitigated
Limited impact with proper file system permissions and isolation, potentially only affecting the esm.sh service account.
🎯 Exploit Status
Exploitation requires uploading a malicious tar file with absolute paths, which is straightforward for attackers familiar with path traversal techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: pseudoversion 0.0.0-20260116051925-c62ab83c589e or later
Vendor Advisory: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq
Restart Required: Yes
Instructions:
1. Update esm.sh to pseudoversion 0.0.0-20260116051925-c62ab83c589e or later. 2. Restart the esm.sh service. 3. Verify the fix by checking the version and testing tar file uploads with absolute paths.
🔧 Temporary Workarounds
Input validation for tar extraction
allImplement custom validation to reject tar files containing absolute paths before extraction.
Implement file validation logic in your application code
File system isolation
linuxRun esm.sh in a container or chroot jail with restricted file system access.
docker run --read-only -v /safe/path:/data esm-sh
chroot /jail /usr/bin/esm.sh
🧯 If You Can't Patch
- Implement strict file system permissions limiting esm.sh service account to specific directories only.
- Deploy network-level controls to restrict tar file uploads from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check if your esm.sh version is earlier than pseudoversion 0.0.0-20260116051925-c62ab83c589e.Check Version:
Check your esm.sh deployment logs or configuration for the pseudoversion identifier.Verify Fix Applied:
Test uploading a tar file with absolute paths - it should be rejected or fail to extract outside intended directories.📡 Detection & Monitoring
Log Indicators:
- Failed tar extraction attempts with absolute paths
- Unexpected file write operations outside normal directories
- Error messages related to path traversal
Network Indicators:
- Unusual tar file uploads to esm.sh endpoints
- Suspicious file extraction patterns
SIEM Query:
source="esm.sh" AND ("absolute path" OR "path traversal" OR "tar extraction error")