{"id":"CVE-2025-65025","summary":"esm.sh CDN service has arbitrary file write via tarslip","details":"esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.","aliases":["GHSA-h3mw-4f23-gwpw","GO-2025-4138"],"modified":"2026-04-02T13:00:06.799253Z","published":"2025-11-19T17:32:46.835Z","related":["SUSE-SU-2025:4395-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65025.json","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65025.json"},{"type":"ADVISORY","url":"https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65025"},{"type":"FIX","url":"https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/esm-dev/esm.sh","events":[{"introduced":"0"},{"fixed":"1ad31b6352bb0a064ece812f6f360e4850e16051"}]}],"versions":["v100","v101","v102","v103","v104","v105","v106","v107","v108","v109","v110","v111","v112","v113","v114","v115","v116","v117","v118","v119","v120","v121","v122","v123","v124","v125","v126","v127","v128","v129","v130","v131","v132","v133","v134","v135","v135_1","v135_2","v135_3","v135_4","v135_5","v135_6","v135_7","v34","v35","v37","v38","v39","v40","v41","v43","v44","v45","v46","v47","v48","v49","v50","v51","v52","v53","v55","v56","v57","v59","v60","v61","v62","v63","v64","v65","v66","v67","v68","v69","v70","v71","v72","v73","v74","v75","v76","v77","v78","v79","v80","v81","v82","v83","v84","v85","v86","v87","v88","v89","v90","v91","v92","v93","v94","v95","v96","v97","v98","v99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65025.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}]}