{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23644", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.484Z", "datePublished": "2026-01-18T22:49:29.676Z", "dateUpdated": "2026-01-20T20:06:58.947Z"}, "containers": {"cna": {"title": "esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq"}, {"name": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16", "tags": ["x_refsource_MISC"], "url": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16"}, {"name": "https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093", "tags": ["x_refsource_MISC"], "url": "https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093"}, {"name": "https://pkg.go.dev/vuln/GO-2025-4138", "tags": ["x_refsource_MISC"], "url": "https://pkg.go.dev/vuln/GO-2025-4138"}], "affected": [{"vendor": "esm-dev", "product": "esm.sh", "versions": [{"version": "< 0.0.0-20260116051925-c62ab83c589e", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-18T22:49:29.676Z"}, "descriptions": [{"lang": "en", "value": "esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue."}], "source": {"advisory": "GHSA-2657-3c98-63jq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T20:04:08.412888Z", "id": "CVE-2026-23644", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:06:58.947Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23644", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T20:04:08.412888Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:04:09.482Z"}}], "cna": {"title": "esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages", "source": {"advisory": "GHSA-2657-3c98-63jq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "esm-dev", "product": "esm.sh", "versions": [{"status": "affected", "version": "< 0.0.0-20260116051925-c62ab83c589e"}]}], "references": [{"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq", "name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16", "name": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093", "name": "https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093", "tags": ["x_refsource_MISC"]}, {"url": "https://pkg.go.dev/vuln/GO-2025-4138", "name": "https://pkg.go.dev/vuln/GO-2025-4138", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-18T22:49:29.676Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23644", "state": "PUBLISHED", "dateUpdated": "2026-01-20T20:06:58.947Z", "dateReserved": "2026-01-14T16:08:37.484Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-18T22:49:29.676Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esm:esm.sh:*:*:*:*:*:*:*:*", "matchCriteriaId": "6FB0321A-8476-4667-8F8F-BF9D9E1DF466", "versionEndExcluding": "136", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue."}], "id": "CVE-2026-23644", "lastModified": "2026-02-18T16:10:48.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-18T23:15:48.547", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2025-4138"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:25:10.654918+00:00", "value": {"mitigation_remediation": ["Upgrade esm.sh to the patched version v0.0.0-20260116051925-c62ab83c589e or newer.", "If an upgrade is delayed, restrict the extraction process so that it rejects absolute paths or limits write permissions on extracted files.", "Monitor CDN logs for attempts to write files in unexpected locations or for unusual tar uploads, and alert on such events."], "summary": {"action": "Immediate patch", "impact": "Arbitrary file write via path traversal leading to potential remote code execution."}, "threat_synthesis": {"affected_systems": "The affected product is esm-dev's esm.sh running any v0.x release before the Go pseudoversion 0.0.0-20260116051925-c62ab83c589e. All instances of the CDN using earlier versions are susceptible.", "description_and_impact": "esm.sh, a no-build CDN for web development, suffered a path traversal flaw in its extractPackageTarball routine. The flaw allowed a malicious tar archive to specify absolute paths, which the service would normalize but still write to disk. An attacker could embed such a tar in a package served through the CDN, causing the server to write arbitrary files. The vulnerability permits unauthorized file modification on the hosting infrastructure, compromising the integrity and confidentiality of the CDN\u2019s contents. The likely attack vector is the delivery of a malicious package containing a tar with absolute paths; this inference is drawn from the described behavior, though the CVE text does not explicitly state the delivery mechanism.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high severity vulnerability, but the EPSS score is under 1%, denoting a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to provide a malicious package to the CDN; once the tar archive is processed, the path traversal allows arbitrary file writes. Because the flaw involves a file write, the risk extends to the confidentiality and integrity of the CDN\u2019s file system, potentially enabling remote code execution if sufficient privileges exist. The combination of a high CVSS with a low EPSS suggests that while the vulnerability is dangerous, active exploitation is presently unlikely, but the patch should be applied promptly to mitigate future risk."}}}}, "created": "2026-01-19T09:19:10.987487+00:00", "updated": "2026-04-18T05:30:25.846090+00:00", "vendors": ["esm-dev", "esm-dev$PRODUCT$esmsh"]}