esm.sh Path Traversal Vulnerability in X-Zone-Id Header Allowing Arbitrary File Write

A path traversal vulnerability has been identified in esm.sh, a no-build content delivery network for modern web development. This issue affects versions through 136. The vulnerability arises from improper handling of the X-Zone-Id HTTP header, which is used to construct filesystem paths. The header value is not adequately sanitized or confined to the application's designated storage directory. Consequently, an attacker can exploit this flaw by injecting ../ sequences into the X-Zone-Id header, causing files to be written to arbitrary locations outside the intended directory. For example, files could be redirected to the user's home directory under .esmd/modules/transform/<id>/, instead of the correct .esmd/storage/modules/transform/ path.

Impact

Exploitation of this vulnerability allows for arbitrary file creation or overwriting outside the intended storage directory. This could lead to file writes in attacker-controlled paths, with potential consequences such as remote code execution, unauthorized persistence, tampering with application files, or facilitating further path traversal attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the /transform endpoint with an X-Zone-Id header that includes path traversal sequences, such as ../. The request body should contain a filename and other relevant data. The server will process the request and write the file to a location outside the intended directory, demonstrating the path traversal vulnerability.

Remediation

The vulnerability can be remediated by removing any .. sequences from the X-Zone-Id header before processing the request.