esm.sh Path Traversal Vulnerability Allowing Arbitrary File Writes

A path traversal vulnerability has been identified in esm.sh, a no-build content delivery network (CDN) for web development. This vulnerability exists in versions prior to Go pseudoversion 0.0.0-20260116051925-c62ab83c589e, and allows for arbitrary file writes from malicious packages. The issue arises because the `path.Clean` function normalizes file paths but does not prevent absolute paths from being exploited in a harmful tar file. As a result, files can be written outside of the intended directory, potentially overwriting important configuration files or cached data. In some cases, this could lead to server-side code execution, such as writing to cron files, although it's unclear if this is feasible with the default deployment configuration.

Impact

Exploitation of this vulnerability enables arbitrary file writes, which can overwrite the esm.sh configuration file and poison cached packages. Such file writes could potentially be leveraged for server-side code execution, depending on the specific files and execution context involved.

Reproduction

The vulnerability can be reproduced by creating a malicious tarball that includes a path traversal attempt, such as a file named '/../../../bad/bad.txt'. This tarball can then be processed by the `extractPackageTarball` function, which will inadvertently write the traversed file to the root directory, bypassing normal file write restrictions.

Remediation

Users can update to esm.sh versions through Go pseudoversion 0.0.0-20260116051925-c62ab83c589e to address this vulnerability.