esm.sh, a no-build CDN for web development, suffered a path traversal flaw in its extractPackageTarball routine. The flaw allowed a malicious tar archive to specify absolute paths, which the service would normalize but still write to disk. An attacker could embed such a tar in a package served through the CDN, causing the server to write arbitrary files. The vulnerability permits unauthorized file modification on the hosting infrastructure, compromising the integrity and confidentiality of the CDN’s contents. The likely attack vector is the delivery of a malicious package containing a tar with absolute paths; this inference is drawn from the described behavior, though the CVE text does not explicitly state the delivery mechanism.

The affected product is esm-dev's esm.sh running any v0.x release before the Go pseudoversion 0.0.0-20260116051925-c62ab83c589e. All instances of the CDN using earlier versions are susceptible.

The CVSS score of 7.7 indicates a high severity vulnerability, but the EPSS score is under 1%, denoting a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to provide a malicious package to the CDN; once the tar archive is processed, the path traversal allows arbitrary file writes. Because the flaw involves a file write, the risk extends to the confidentiality and integrity of the CDN’s file system, potentially enabling remote code execution if sufficient privileges exist. The combination of a high CVSS with a low EPSS suggests that while the vulnerability is dangerous, active exploitation is presently unlikely, but the patch should be applied promptly to mitigate future risk.