Plattform
go
Komponente
github.com/esm-dev/esm.sh
Behoben in
0.0.1
136.0.1
CVE-2026-23644 describes a Path Traversal vulnerability within esm.sh, a JavaScript module resolver. This flaw allows attackers to potentially read arbitrary files on the server hosting esm.sh, bypassing intended access controls. The vulnerability affects versions of esm.sh up to and including version 136. A fix has been released in version 0.0.0-20260116051925-c62ab83c589e.
The core of the vulnerability lies in the inadequate handling of paths within tarball archives. While a previous commit attempted to address this, it failed to fully prevent absolute paths within malicious tar files from being resolved. An attacker could craft a specially designed tarball containing paths like /../../../../etc/passwd or similar constructs. When esm.sh extracts this tarball, it could inadvertently expose sensitive files, including configuration files, source code, or even system files. The potential impact extends beyond simple information disclosure; depending on the server's configuration and permissions, an attacker might be able to modify or delete files, leading to a complete compromise of the system. This vulnerability shares similarities with other path traversal exploits where attackers leverage improper path sanitization to gain unauthorized access.
CVE-2026-23644 was publicly disclosed on 2026-01-20. A public proof-of-concept (POC) is available, demonstrating the path traversal vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the availability of a POC suggests a medium probability of exploitation.
Applications and services that rely on esm.sh to load JavaScript modules are at risk. This includes projects using esm.sh as a CDN or module resolver. Developers who have integrated esm.sh into their build processes or deployment pipelines should prioritize upgrading to the patched version.
• linux / server:
journalctl -u esm.sh -f | grep -i "path traversal"• generic web:
curl -I <esm.sh_endpoint> | grep -i "path traversal"disclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-23644 is to upgrade to the patched version, 0.0.0-20260116051925-c62ab83c589e. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. One approach is to restrict the directories from which esm.sh can resolve modules, limiting the potential blast radius of a successful exploit. Additionally, a Web Application Firewall (WAF) or reverse proxy could be configured to inspect incoming requests for suspicious path patterns and block those that attempt to traverse outside of the expected directory structure. Regularly review and update the esm.sh configuration to ensure it adheres to security best practices.
Actualice el paquete esm.sh a la versión 0.0.0-20260116051925-c62ab83c589e o superior. Esto solucionará la vulnerabilidad de path traversal que permite la escritura de archivos desde paquetes maliciosos. Utilice el gestor de paquetes npm o yarn para realizar la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23644 is a Path Traversal vulnerability in esm.sh affecting versions up to 136. It allows attackers to potentially access arbitrary files by crafting malicious tar archives.
You are affected if you are using esm.sh version 136 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to version 0.0.0-20260116051925-c62ab83c589e or later. If immediate upgrade is not possible, consider temporary workarounds like restricting file types.
While there's no confirmed widespread exploitation, a public proof-of-concept exists, indicating a potential for active exploitation.
Refer to the esm.sh GitHub repository for updates and advisories related to CVE-2026-23644: https://github.com/esm-dev/esm.sh
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.