x/vulndb: potential Go vuln in github.com/esm-dev/esm.sh: GHSA-g2h5-cvvr-7gmw #3967
Description
Advisory GHSA-g2h5-cvvr-7gmw references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/esm-dev/esm.sh |
Description:
Summary
A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).
Severity: Medium
Component / Endpoint:
`POST /transfor...
References:
- ADVISORY: GHSA-g2h5-cvvr-7gmw
- ADVISORY: GHSA-g2h5-cvvr-7gmw
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-59342
- FIX: esm-dev/esm.sh@833a29f
- WEB: https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116
- WEB: https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/esm-dev/esm.sh
vulnerable_at: 0.0.0-20250917014536-776dd3903878
summary: esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh
cves:
- CVE-2025-59342
ghsas:
- GHSA-g2h5-cvvr-7gmw
references:
- advisory: https://github.com/advisories/GHSA-g2h5-cvvr-7gmw
- advisory: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59342
- fix: https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151
- web: https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116
- web: https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
source:
id: GHSA-g2h5-cvvr-7gmw
created: 2025-09-17T20:01:21.035490969Z
review_status: UNREVIEWED