Path Traversal Vulnerability in esm.sh CDN by esm-dev
CVE-2025-59342

5.5MEDIUM

Key Information:

Vendor: Esm-dev
Status: Esm.sh
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-59342?

The esm.sh CDN, utilized for modern web development, contains a path traversal vulnerability that affects version 136 and earlier. An improper handling of the X-Zone-Id HTTP header allows attackers to exploit this flaw, potentially leading the application to write files outside its intended storage area. Because the value of this header is used to construct a filesystem path without sufficient restrictions or proper canonicalization, malicious actors can inject ../ sequences into the X-Zone-Id header. This can result in unauthorized file writing to arbitrary directories within the system.

Affected Version(s)

esm.sh <= 136

References

https://github.com/esm-dev/esm.sh/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/esm-dev/esm.sh/blob/main/server/router...

x_refsource_MISC

https://github.com/esm-dev/esm.sh/blob/main/server/router...

x_refsource_MISC

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Sep 12, 2025

Esm-dev

What is CVE-2025-59342?

Affected Version(s)

References

CVSS V4

Timeline