VYPR
High severityOSV Advisory· Published Jan 18, 2026· Updated Jan 20, 2026

esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages

CVE-2026-23644

Description

esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. path.Clean normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/esm-dev/esm.shGo
>= 0.0.1, <= 136
github.com/esm-dev/esm.shGo
< 0.0.0-20260116051925-c62ab83c589e0.0.0-20260116051925-c62ab83c589e

Affected products

3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.