Platform
go
Component
github.com/esm-dev/esm.sh
Fixed in
136.0.1
0.0.0-20251117232647-9d77b88c3207
CVE-2025-65025 describes an Arbitrary File Access vulnerability discovered in the esm.sh CDN service, specifically within the github.com/esm-dev/esm.sh component. This flaw allows attackers to write arbitrary files, potentially leading to severe consequences such as code execution and complete system compromise. The vulnerability affects versions prior to 0.0.0-20251117232647-9d77b88c3207, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability in esm.sh allows an attacker to write files to arbitrary locations on the server hosting the CDN. This is a critical risk because it bypasses typical access controls and allows for the injection of malicious code. An attacker could, for example, overwrite critical configuration files, inject malicious JavaScript into served assets, or even execute arbitrary commands on the server. The potential impact extends beyond the CDN itself, as compromised assets could then be served to a wide range of downstream consumers, leading to widespread compromise. The ability to write arbitrary files effectively grants the attacker a high degree of control over the affected system.
CVE-2025-65025 was publicly disclosed on 2025-11-25. The vulnerability stems from a tarslip issue within the github.com/esm-dev/esm.sh component. Currently, there are no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation suggests it could become a target. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-65025 is to immediately upgrade to version 0.0.0-20251117232647-9d77b88c3207 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file write access within the esm.sh environment using file system permissions or access control lists. Web application firewalls (WAFs) configured to inspect and block requests containing suspicious file paths or payloads could also provide a layer of defense. Monitor CDN logs for unusual file write activity and investigate any anomalies. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known payload and verifying that the write operation is denied.
Actualice el servicio esm.sh a la versión 136 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización evitará que atacantes escriban archivos en ubicaciones arbitrarias en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-65025 is a HIGH severity vulnerability in the esm.sh CDN allowing attackers to write arbitrary files, potentially leading to code execution. It affects versions prior to 0.0.0-20251117232647-9d77b88c3207.
You are affected if you are using the esm.sh CDN and have not upgraded to version 0.0.0-20251117232647-9d77b88c3207 or later. Check your component versions immediately.
Upgrade to version 0.0.0-20251117232647-9d77b88c3207 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file write access or using a WAF.
As of now, there are no known public exploits or active campaigns targeting CVE-2025-65025, but the ease of exploitation suggests it could become a target.
Refer to the official esm.sh documentation and security advisories for the most up-to-date information regarding CVE-2025-65025.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.