CVE-2025-65025 is a path traversal vulnerability classified under CWE-22 affecting esm.sh, a no-build CDN service used for modern web development. The vulnerability exists in esm.sh versions prior to 136 during the extraction of NPM package tarballs. An attacker can craft a malicious NPM package containing file paths with directory traversal sequences such as "package/../../tmp/evil.js". When esm.sh downloads and extracts this package, it fails to properly sanitize or restrict the extraction paths, allowing files to be written outside the intended directory. This improper limitation of pathname can lead to arbitrary file writes on the server hosting esm.sh. The vulnerability can be exploited remotely without any authentication or user interaction, increasing its risk profile. The impact primarily affects the integrity of the server, as attackers can overwrite or place malicious files that may be used for further compromise or persistence. The vulnerability has been assigned a CVSS 3.1 score of 8.2, indicating high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no exploits have been reported in the wild yet, the potential for damage is significant, especially for organizations relying on esm.sh for package delivery. The issue was patched in version 136 of esm.sh, and users are strongly advised to upgrade to this or later versions to remediate the vulnerability.

For European organizations, the exploitation of CVE-2025-65025 could lead to unauthorized file writes on servers hosting esm.sh or integrated into their development pipelines. This can compromise the integrity of the development environment, potentially allowing attackers to inject malicious scripts or backdoors that could propagate into production systems. Given esm.sh's role as a CDN for modern web development, compromised servers could affect the supply chain of web applications, leading to widespread impact. The vulnerability does not directly affect confidentiality or availability but poses a high risk to integrity, which can indirectly impact confidentiality if malicious code is introduced. Organizations using esm.sh in continuous integration/continuous deployment (CI/CD) pipelines or as part of their package management infrastructure are particularly at risk. The lack of required authentication and user interaction means attackers can exploit this remotely and at scale. This could lead to reputational damage, regulatory compliance issues under GDPR if customer data is indirectly affected, and operational disruptions if malicious files cause failures or require remediation.

The primary mitigation is to upgrade esm.sh to version 136 or later, where the path traversal vulnerability has been patched. Organizations should audit their use of esm.sh and ensure no legacy versions are in operation. Additionally, implement strict file system permissions on servers running esm.sh to limit the directories where files can be written, minimizing the impact of any potential exploitation. Employ monitoring and alerting for unusual file system changes, especially outside expected directories, to detect exploitation attempts early. Integrate integrity checking tools to verify the authenticity and expected structure of NPM packages before extraction. Consider sandboxing the extraction process to isolate it from critical system components. Finally, review and tighten supply chain security practices around third-party package usage to reduce the risk of malicious package introduction.