High severityOSV Advisory· Published Jan 18, 2026· Updated Jan 20, 2026
esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages
CVE-2026-23644
Description
esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. path.Clean normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/esm-dev/esm.shGo | >= 0.0.1, <= 136 | — |
github.com/esm-dev/esm.shGo | < 0.0.0-20260116051925-c62ab83c589e | 0.0.0-20260116051925-c62ab83c589e |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/esm-dev/esm.shpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 0.0.1, <= 136+ 1 more
- (no CPE)range: >= 0.0.1, <= 136
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-2657-3c98-63jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23644ghsaADVISORY
- github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16ghsax_refsource_MISCWEB
- github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093ghsax_refsource_MISCWEB
- github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jqghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-4138ghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2026-4332ghsaWEB
News mentions
0No linked articles in our index yet.