esm.sh Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in the esm.sh CDN service, prior to version 136, during the extraction of NPM package tarballs. This vulnerability allows an attacker to craft a malicious NPM package with specially designed file paths that can escape the intended extraction directory and write files to arbitrary locations on the server. The issue arises because the tarball extraction process does not properly validate file paths, enabling exploitation by overwriting package resources in the esm.sh cache. This could lead to remote code execution on end-user endpoints that import the compromised packages.

Impact

Exploitation of this vulnerability allows for large-scale remote code execution on end-user endpoints through supply chain attacks. The path traversal vulnerability enables attackers to overwrite package resources in the esm.sh cache with malicious code, which is then executed when the backdoored packages are imported. This impact is particularly severe for popular packages, as it affects all downstream users and can target specific frameworks like React or Vue, where the malicious code could be executed in the context of the user's browser or an Electron application.

Reproduction

To reproduce this vulnerability, first create a malicious NPM package tarball that includes a path traversal payload, such as a file path that escapes the intended directory and writes to a location like /tmp. This can be done using a Python script that generates the tarball with the crafted file paths. Next, upload the tarball to an attacker-controlled NPM registry. Finally, send a request to the esm.sh service to download and extract the package, including the X-Npmrc header that points to the malicious registry. The path traversal can be verified by checking the extracted file in the specified location.

Remediation

Users are advised to update to esm.sh version 136 or later, where this vulnerability has been patched.