CVE-2025-59342 | esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header

Exp

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.

Published: 2025-09-17 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2025-59342

EPSS CVSS CWE GHSA Exploit-DB

Conclusion & alert: CVE-2025-59342 is rated High Exploit Risk (67.8/100): CVSS Medium severity, with high exploitation likelihood (EPSS 6.45%, 91th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2025-59342

EDB-ID	Source	Kind	Published	Link
52461	exploit_db	edb	2025-12-16	Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2025-59342

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-24	7.50%	6.45%	-1.06%
2	2026-04-21	10.90%	7.50%	-3.39%
3	2026-04-18	—	10.90%	—

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-59342

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	4.0	MEDIUM	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network. Attack complexity (AC:L) Exploitation conditions are straightforward and stable. Attack requirements (AT:N) No additional preconditions are required beyond normal reachability. Privileges required (PR:N) No privileges are required. User interaction (UI:N) No user interaction is required. Vulnerable system confidentiality impact (VC:N) No confidentiality impact on the vulnerable system. Vulnerable system integrity impact (VI:L) Limited integrity impact on the vulnerable system. Vulnerable system availability impact (VA:N) No availability impact on the vulnerable system. Subsequent system confidentiality impact (SC:N) No confidentiality impact on subsequent systems. Subsequent system integrity impact (SI:N) No integrity impact on subsequent systems. Subsequent system availability impact (SA:N) No availability impact on subsequent systems. Exploit maturity (threat) (E:P) Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools. Confidentiality requirement (CR:X) Not defined: insufficient information; scoring treats this like High (worst case). Integrity requirement (IR:X) Not defined: insufficient information; scoring treats this like High (worst case). Availability requirement (AR:X) Not defined: insufficient information; scoring treats this like High (worst case). Modified attack vector (MAV:X) Not defined: scoring uses the Base Attack Vector (AV). Modified attack complexity (MAC:X) Not defined: scoring uses the Base Attack Complexity (AC). Modified attack requirements (MAT:X) Not defined: scoring uses the Base Attack Requirements (AT). Modified privileges required (MPR:X) Not defined: scoring uses the Base Privileges Required (PR). Modified user interaction (MUI:X) Not defined: scoring uses the Base User Interaction (UI). Modified vulnerable system confidentiality impact (MVC:X) Not defined: scoring uses the Base VC metric. Modified vulnerable system integrity impact (MVI:X) Not defined: scoring uses the Base VI metric. Modified vulnerable system availability impact (MVA:X) Not defined: scoring uses the Base VA metric. Modified subsequent system confidentiality impact (MSC:X) Not defined: scoring uses the Base SC metric. Modified subsequent system integrity impact (MSI:X) Not defined: scoring uses the Base SI metric. Modified subsequent system availability impact (MSA:X) Not defined: scoring uses the Base SA metric. Safety (supplemental) (S:X) Not evaluated. Automatable (supplemental) (AU:X) Not evaluated. Recovery (supplemental) (R:X) Not evaluated. Value density (supplemental) (V:X) Not evaluated. Vulnerability response effort (supplemental) (RE:X) Not evaluated. Provider urgency (supplemental) (U:X) Not evaluated.	—	—	[email protected]

Weakness enumeration for CVE-2025-59342

CWE-24 MITRE ↗

GitHub Security Advisory for CVE-2025-59342

GHSA-g2h5-cvvr-7gmw · Severity: medium · Ecosystem: go — esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header

Affected software / configurations for CVE-2025-59342

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-59342

URL	Tags
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw

cvelogic Threat Intelligence