CVE-2025-59342
published 2025-09-17CVE-2025-59342: esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP…
PriorityP348medium5.5CVSS 4.0
AVNACLATNPRNUINVCNVILVANSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.83%
84.8th percentile
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esm-dev | esm.sh | <= 136 | — |
| github.com | esm-dev_esm.sh | >= 0 < 136.1 | 136.1 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh
osv·2025-09-24
CVE-2025-59342 esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh
OSV
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
osv·2025-09-17
CVE-2025-59342 [MEDIUM] esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
## Summary
A path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform//` instead of `~/.esmd/storage/modules/transform`).
**Severity:** Medium
**Component / Endpoint:**
`POST /transform` — handling of `X-Zone-Id` header
The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and
GHSA
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
ghsa·2025-09-17
CVE-2025-59342 [MEDIUM] CWE-24 esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
## Summary
A path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform//` instead of `~/.esmd/storage/modules/transform`).
**Severity:** Medium
**Component / Endpoint:**
`POST /transform` — handling of `X-Zone-Id` header
The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and
No detection rules found.
Exploit-DB
esm-dev 136 - Path Traversal
exploitdb·2025-12-16·CVSS 5.5
CVE-2025-59342 [MEDIUM] esm-dev 136 - Path Traversal
esm-dev 136 - Path Traversal
---
# Exploit Title: esm-dev 136 - Path Traversal
# Date: 2025-07-11
# Exploit Author: Byte Reaper
#Vendor Homepage: https://github.com/esm-dev/esm.sh
# Software Link: https://github.com/esm-dev/esm.sh
# CVE-2025-59342
- File : exploit.c
- Date : 09/17/2025
- Target : esm-dev
- Version: 136
- Target Endpoint : /transform
- Target Header : X-Zone-Id
- Vuln :
- Run exploit :
# gcc exploit.c argparse.c -o CVE-2025-59342 -lcurl
# ./CVE-2025-59342
#include
#include
#include
#include "argparse.h"
#include
#include
#include
#define FULL_URL 2500
#define P_Y 2000
#define POST_DATA 9000
int flagPort = 0;
int port = 80;
int selectPort = -1;
int verbose = 0;
int code = 1;
int found = 1;
int cF = 0;
int s = 0;
int bY = 0;
int sP = 0;
const char* cookies = NULL;
const ch
Nuclei
esm.sh <= v136 - Arbitrary File Write via Path Traversal
nuclei·CVSS 5.5
CVE-2025-59342 [MEDIUM] esm.sh <= v136 - Arbitrary File Write via Path Traversal
esm.sh <= v136 - Arbitrary File Write via Path Traversal
esm.sh <= 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input.
Template:
id: CVE-2025-59342
info:
name: esm.sh <= v136 - Arbitrary File Write via Path Traversal
author: 0x_Akoko
severity: medium
description: |
esm.sh <= 136 contains a path traversal caused by improper canonicalization of the X-Zone-Id HTTP header, letting attackers write files outside the intended storage directory, exploit requires crafted header input.
impact: |
Attackers can write files to arbitrary directories, potentially leading to system compromise or data tampering.
remediation: |
Update to a version later
No writeups or analysis indexed.
2025-09-17
Published