DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23644: Zip Slip's Evil Twin: Deconstructing CVE-2026-23644 in esm.sh

#security #cve #cybersecurity

Zip Slip's Evil Twin: Deconstructing CVE-2026-23644 in esm.sh

Vulnerability ID: CVE-2026-23644
CVSS Score: 7.7
Published: 2026-01-18

A critical Path Traversal vulnerability in the esm.sh CDN allows attackers to write arbitrary files to the server by supplying malicious NPM tarballs. The flaw highlights a classic confusion between Go's 'path' and 'filepath' packages.

TL;DR

The 'esm.sh' CDN service failed to properly sanitize filenames within NPM tarballs. By crafting a package with filenames containing '../', an attacker can escape the intended extraction directory and overwrite files on the server. The initial fix attempt failed because 'path.Clean' does not neutralize leading relative paths.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v4.0: 7.7 (High)
  • Attack Vector: Network
  • Impact: Arbitrary File Write
  • EPSS Score: 0.00047 (Low)
  • Exploit Status: PoC Available

Affected Systems

  • esm.sh (Self-hosted instances)
  • esm.sh (CDN infrastructure)
  • esm.sh: < 0.0.0-20260116051925-c62ab83c589e (Fixed in: 0.0.0-20260116051925-c62ab83c589e)

Code Analysis

Commit: c62ab83

Final fix switching to filepath and adding jail check

- filename := path.Join(pkgDir, path.Clean(name))
+ targetPath := filepath.Join(destDir, name)
+ if !strings.HasPrefix(targetPath, filepath.Clean(destDir))...
Enter fullscreen mode Exit fullscreen mode

Commit: 9d77b88

Incomplete fix using path.Clean

+ filename := path.Join(pkgDir, path.Clean(name))
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Context: Go test case demonstrating the traversal using a crafted tar header.

Mitigation Strategies

  • Update esm.sh to version 0.0.0-20260116051925-c62ab83c589e or later.
  • Implement strict path validation ensuring resolved paths start with the intended root.
  • Run the service with least-privilege user permissions to limit write impact.

Remediation Steps:

  1. Pull the latest version of the esm.sh container or source code.
  2. Audit the filesystem for any unexpected files created prior to the patch.
  3. Verify that the service user cannot write to system directories or configuration paths.

References

Read the full report for CVE-2026-23644 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)