CVE-2025-65025 Overview
CVE-2025-65025 is a critical path traversal vulnerability affecting esm.sh, a nobuild content delivery network (CDN) designed for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory.
Critical Impact
This vulnerability allows attackers to write arbitrary files to the server filesystem, potentially enabling remote code execution, configuration tampering, or complete server compromise through malicious NPM package uploads.
Affected Products
- esm.sh versions prior to 136
- esm:esm.sh (all versions before security patch)
- esm.sh CDN services processing untrusted NPM packages
Discovery Timeline
- 2025-11-19 - CVE-2025-65025 published to NVD
- 2026-01-15 - Last updated in NVD database
Technical Details for CVE-2025-65025
Vulnerability Analysis
This path traversal vulnerability exists in the NPM package extraction functionality within esm.sh's server-side code. The vulnerability arises from improper sanitization of file paths contained within NPM package tarballs during extraction. When processing incoming packages, the server concatenates the extraction directory with the filename from the tarball header without properly validating or cleaning the path components.
An attacker can exploit this by publishing a malicious NPM package where internal file paths include directory traversal sequences such as ../. When esm.sh extracts this package, these sequences are preserved, allowing file writes outside the designated package directory. This can lead to overwriting critical configuration files, injecting malicious scripts into web-accessible directories, or achieving remote code execution by writing to executable locations.
Root Cause
The root cause stems from the direct use of untrusted file names from the tarball header (h.Name) when constructing the destination file path. The original code in server/npmrc.go joined the package directory with the extracted filename without applying path normalization, allowing traversal sequences to escape the intended directory boundary.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can:
- Create a malicious NPM package with files containing path traversal sequences
- Publish the package to NPM registry or host it on a malicious registry
- Trigger esm.sh to fetch and extract the malicious package
- Achieve arbitrary file write on the esm.sh server infrastructure
The following patch from GitHub Commit 9d77b88 demonstrates the fix:
}
// strip tarball root dir
_, name := utils.SplitByFirstByte(h.Name, '/')
- filename := path.Join(pkgDir, name)
+ filename := path.Join(pkgDir, path.Clean(name))
if h.Typeflag != tar.TypeReg {
continue
}
Source: GitHub Commit 9d77b88
The fix applies path.Clean() to sanitize the filename before path construction, removing any .. sequences and normalizing the path to prevent directory escape.
Detection Methods for CVE-2025-65025
Indicators of Compromise
- Unexpected files appearing outside NPM package extraction directories
- Modified system or configuration files with recent timestamps coinciding with package extraction operations
- Log entries showing package downloads from untrusted or suspicious NPM registries
- Files with names containing encoded path traversal patterns in package metadata
Detection Strategies
- Monitor file system write operations originating from the esm.sh process for paths outside expected extraction directories
- Implement file integrity monitoring (FIM) on critical server directories
- Analyze NPM package contents before extraction for suspicious path patterns using automated scanning
- Review access logs for unusual package fetch requests or patterns
Monitoring Recommendations
- Configure alerts for any file modifications in system directories triggered by the CDN service
- Implement logging and auditing of all NPM package extraction operations with full path information
- Deploy runtime application self-protection (RASP) solutions to detect and block path traversal attempts
- Monitor for unexpected process spawning or network connections following package extraction events
How to Mitigate CVE-2025-65025
Immediate Actions Required
- Upgrade esm.sh to version 136 or later immediately
- Review server filesystems for any unauthorized files written outside package directories
- Audit recently processed NPM packages for malicious path traversal payloads
- Restrict access to the esm.sh service until patching is complete if public-facing
Patch Information
This vulnerability has been patched in esm.sh version 136. The fix is available in GitHub Commit 9d77b88. For complete details, refer to the GitHub Security Advisory GHSA-h3mw-4f23-gwpw.
Workarounds
- If immediate patching is not possible, implement a Web Application Firewall (WAF) rule to inspect and reject packages containing traversal sequences
- Restrict esm.sh to only process packages from trusted NPM registries
- Run the esm.sh service in a containerized environment with strict volume mount restrictions
- Apply filesystem-level sandboxing using chroot or namespace isolation to limit write scope
# Example: Running esm.sh in a restricted container environment
docker run --read-only \
--tmpfs /tmp:rw,noexec,nosuid \
-v /app/packages:/app/packages:rw \
--security-opt no-new-privileges:true \
esm-sh:136
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
