{"id":"CVE-2026-23644","summary":"esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages","details":"esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.","aliases":["GHSA-2657-3c98-63jq","GO-2026-4332"],"modified":"2026-04-10T05:39:13.156759Z","published":"2026-01-18T22:49:29.676Z","related":["SUSE-SU-2026:0757-1"],"database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23644.json"},"references":[{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2025-4138"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23644.json"},{"type":"ADVISORY","url":"https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23644"},{"type":"FIX","url":"https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16"},{"type":"FIX","url":"https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/esm-dev/esm.sh","events":[{"introduced":"0"},{"fixed":"1ad31b6352bb0a064ece812f6f360e4850e16051"},{"fixed":"9d77b88c320733ff6689d938d85d246a3af9af16"},{"fixed":"c62ab83c589e7b421a0e1376d2a00a4e48161093"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"136"}]}}],"versions":["v100","v101","v102","v103","v104","v105","v106","v107","v108","v109","v110","v111","v112","v113","v114","v115","v116","v117","v119","v120","v121","v122","v123","v124","v125","v126","v127","v128","v129","v130","v131","v132","v133","v134","v135","v135_1","v136","v136_1","v34","v35","v37","v38","v39","v40","v41","v43","v44","v45","v46","v47","v49","v50","v51","v52","v53","v55","v56","v57","v59","v60","v61","v62","v63","v64","v65","v66","v67","v68","v69","v70","v71","v72","v73","v74","v75","v76","v77","v78","v79","v80","v81","v82","v83","v84","v85","v86","v87","v88","v89","v90","v91","v92","v93","v94","v95","v96","v97","v98","v99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23644.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}]}