Platform
go
Component
github.com/esm-dev/esm.sh
Fixed in
0.0.1
136.0.1
CVE-2026-23644 describes a Path Traversal vulnerability within esm.sh, a JavaScript module loader. This flaw allows attackers to potentially access arbitrary files on the server by crafting malicious tar archives. The vulnerability affects versions of esm.sh up to and including 136. A fix has been released in version 0.0.0-20260116051925-c62ab83c589e.
The core of the vulnerability lies in the inadequate handling of absolute paths within tar archives. While a previous commit attempted to address this issue, it failed to fully prevent malicious actors from exploiting path traversal techniques. An attacker could construct a specially crafted tar file containing paths designed to escape the intended extraction directory. This could allow them to read sensitive configuration files, source code, or even execute arbitrary code if the server is configured to process such files. The blast radius extends to any system utilizing esm.sh to load JavaScript modules, potentially exposing a wide range of applications and services.
CVE-2026-23644 was publicly disclosed on January 20, 2026. There is currently a public proof-of-concept available demonstrating the vulnerability. The EPSS score is pending evaluation, but the existence of a public PoC suggests a medium to high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
The primary mitigation for CVE-2026-23644 is to immediately upgrade to version 0.0.0-20260116051925-c62ab83c589e or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting the types of files that esm.sh is allowed to serve or implementing stricter input validation on any user-provided paths. Web application firewalls (WAFs) configured to detect path traversal attempts could also provide an additional layer of defense. Monitor system logs for unusual file access patterns that might indicate exploitation.
Actualice el paquete esm.sh a la versión 0.0.0-20260116051925-c62ab83c589e o superior. Esto solucionará la vulnerabilidad de path traversal que permite la escritura de archivos desde paquetes maliciosos. Utilice el gestor de paquetes npm o yarn para realizar la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23644 is a Path Traversal vulnerability in esm.sh affecting versions up to 136. It allows attackers to potentially access arbitrary files by crafting malicious tar archives.
You are affected if you are using esm.sh version 136 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to version 0.0.0-20260116051925-c62ab83c589e or later. If immediate upgrade is not possible, consider temporary workarounds like restricting file types.
While there's no confirmed widespread exploitation, a public proof-of-concept exists, indicating a potential for active exploitation.
Refer to the esm.sh GitHub repository for updates and advisories related to CVE-2026-23644: https://github.com/esm-dev/esm.sh
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.