Plattform
go
Komponente
github.com/esm-dev/esm.sh
Behoben in
136.0.1
0.0.0-20251117232647-9d77b88c3207
CVE-2025-65025 describes an Arbitrary File Access vulnerability discovered in the esm.sh CDN service, specifically within the github.com/esm-dev/esm.sh component. This flaw allows attackers to write arbitrary files, potentially leading to severe consequences such as code execution and system compromise. The vulnerability affects versions of esm.sh prior to 0.0.0-20251117232647-9d77b88c3207, and a patched version has been released.
The Arbitrary File Access vulnerability in esm.sh allows an attacker to write files to the server's filesystem. This is a critical security risk because it bypasses normal access controls. A successful exploit could allow an attacker to overwrite critical system files, inject malicious code (e.g., a reverse shell), or modify configuration files to gain persistent access. The impact is particularly severe because esm.sh is a CDN, meaning it serves JavaScript modules to numerous websites and applications. Compromise of esm.sh could therefore lead to widespread code injection across many downstream applications, creating a significant supply chain attack vector. The ability to write arbitrary files effectively grants the attacker a high degree of control over the affected system.
CVE-2025-65025 was publicly disclosed on 2025-11-25. Currently, there is no indication of active exploitation in the wild, nor is it listed on CISA KEV. Public proof-of-concept exploits are not yet available, but the nature of the vulnerability (arbitrary file write) suggests a high likelihood of PoCs being developed. Given the CDN nature of esm.sh, any exploitation would likely be widespread and impactful.
Organizations relying on the esm.sh CDN service for delivering JavaScript packages are at risk. This includes developers and teams using Node.js, React, Angular, or other JavaScript-based frameworks. Specifically, those using older versions of the github.com/esm-dev/esm.sh component are vulnerable.
• go: Inspect the github.com/esm-dev/esm.sh component for versions prior to 0.0.0-20251117232647-9d77b88c3207 using go list -m github.com/esm-dev/esm.sh.
• generic web: Monitor CDN logs for unusual file write activity, particularly requests containing suspicious file paths or payloads.
• generic web: Use curl to probe for potential file write endpoints, attempting to write files to unexpected locations. Example: curl -X POST -d '...' <cdn_url>/path/to/potential/write/endpoint
disclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-65025 is to immediately upgrade to version 0.0.0-20251117232647-9d77b88c3207 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While a direct WAF rule to prevent arbitrary file writes is difficult, carefully reviewing and restricting file upload paths within your applications using esm.sh modules can reduce the attack surface. Monitor esm.sh's status page and security advisories for further guidance. After upgrading, confirm the fix by attempting to trigger the vulnerable file write operation and verifying that it is now blocked.
Actualice el servicio esm.sh a la versión 136 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización evitará que atacantes escriban archivos en ubicaciones arbitrarias en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-65025 is a HIGH severity vulnerability in the esm.sh CDN allowing attackers to write arbitrary files, potentially leading to code execution. It affects versions prior to 0.0.0-20251117232647-9d77b88c3207.
You are affected if you are using the esm.sh CDN and have not upgraded to version 0.0.0-20251117232647-9d77b88c3207 or later. Check your component versions immediately.
Upgrade to version 0.0.0-20251117232647-9d77b88c3207 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file write access or using a WAF.
As of now, there are no known public exploits or active campaigns targeting CVE-2025-65025, but the ease of exploitation suggests it could become a target.
Refer to the official esm.sh documentation and security advisories for the most up-to-date information regarding CVE-2025-65025.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.