CVE-2026-23644 Overview
CVE-2026-23644 is a Path Traversal vulnerability affecting esm.sh, a no-build content delivery network (CDN) for web development. The vulnerability exists due to an incomplete fix in the tar file extraction process. While path.Clean normalizes paths, it does not prevent absolute paths in malicious tar files, allowing attackers to write files outside the intended directory.
Critical Impact
Attackers can exploit this path traversal vulnerability to read or write arbitrary files on the server by crafting malicious tar files with absolute paths, potentially leading to data exfiltration or system compromise.
Affected Products
- esm.sh versions prior to Go pseudoversion 0.0.0-20260116051925-c62ab83c589e
Discovery Timeline
- 2026-01-18 - CVE-2026-23644 published to NVD
- 2026-01-18 - Last updated in NVD database
Technical Details for CVE-2026-23644
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal). The flaw exists in the tar file extraction logic within esm.sh's npm package handling functionality.
The core issue stems from an incomplete security fix. While the developers implemented path.Clean to normalize file paths during tar extraction, this function alone is insufficient to prevent path traversal attacks. The path.Clean function in Go normalizes paths by removing redundant separators and resolving . and .. elements, but it does not sanitize absolute paths or paths that could escape the intended extraction directory.
When processing npm packages, esm.sh extracts tar files containing package contents. A malicious actor could craft a tar archive with entries containing absolute paths (e.g., /etc/passwd) or path traversal sequences that, when combined with the extraction directory, write files to unintended locations on the filesystem.
Root Cause
The root cause is the use of path.Clean without additional validation to ensure the resulting path remains within the intended extraction directory. The original implementation in server/npmrc.go constructed the output filename by joining the package directory with the tar entry name after stripping the tarball root directory, but failed to properly sanitize the path to prevent directory escape.
Attack Vector
The attack can be executed remotely over the network without authentication or user interaction. An attacker would need to:
- Create a malicious npm package containing a crafted tar file
- Include tar entries with absolute paths or path traversal sequences
- Trigger the esm.sh service to process the malicious package
- The extracted files would be written outside the intended package directory
}
// strip tarball root dir
_, name := utils.SplitByFirstByte(h.Name, '/')
- filename := path.Join(pkgDir, name)
+ filename := path.Join(pkgDir, path.Clean(name))
if h.Typeflag != tar.TypeReg {
continue
}
Source: GitHub Commit Update
Note: The above patch shows a partial fix that adds path.Clean but may still be insufficient. The complete fix at commit c62ab83c589e7b421a0e1376d2a00a4e48161093 provides the full remediation.
Detection Methods for CVE-2026-23644
Indicators of Compromise
- Unexpected file creation or modification outside npm package directories
- Tar extraction operations writing to system directories (e.g., /etc, /tmp, /var)
- Log entries showing file paths containing .. sequences or absolute paths during package processing
- Unusual npm package requests with oversized or malformed tar archives
Detection Strategies
- Monitor file system activity during npm package extraction for writes outside expected directories
- Implement integrity monitoring on critical system files and directories
- Review web server and application logs for suspicious package names or extraction errors
- Deploy file integrity monitoring (FIM) on the esm.sh service directories
Monitoring Recommendations
- Configure alerts for file system modifications in sensitive directories by the esm.sh service process
- Implement network traffic analysis to detect malicious npm package uploads
- Enable verbose logging for tar extraction operations to capture full file paths
- Monitor for privilege escalation attempts following potential file overwrites
How to Mitigate CVE-2026-23644
Immediate Actions Required
- Update esm.sh to Go pseudoversion 0.0.0-20260116051925-c62ab83c589e or later
- Review file system for any evidence of exploitation prior to patching
- Audit recently processed npm packages for suspicious tar entries
- Implement additional sandboxing or containerization for package extraction processes
Patch Information
The vulnerability has been fixed in commit c62ab83c589e7b421a0e1376d2a00a4e48161093, corresponding to Go pseudoversion 0.0.0-20260116051925-c62ab83c589e. Organizations should update to this version or later immediately. For detailed patch information, see the GitHub Security Advisory GHSA-2657-3c98-63jq and the Go.dev Vulnerability Report GO-2025-4138.
Workarounds
- Run the esm.sh service in a containerized environment with restricted file system access
- Implement strict chroot or namespace isolation for the extraction process
- Add external validation layer to inspect tar contents before extraction
- Restrict network access to trusted npm registries only
# Example: Run esm.sh in a container with read-only root filesystem
docker run --read-only \
--tmpfs /tmp:noexec,nosuid \
-v /app/packages:/app/packages:rw \
esm-dev/esm.sh:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
