CVE-2025-65025 is a path traversal vulnerability classified under CWE-22 affecting esm.sh, a no-build content delivery network widely used in modern web development for serving NPM packages. The vulnerability exists in esm.sh versions prior to 136 during the extraction process of NPM package tarballs. Specifically, esm.sh fails to properly sanitize or restrict file paths inside the tarball, allowing an attacker to include specially crafted file paths such as 'package/../../tmp/evil.js'. When esm.sh downloads and extracts such a malicious package, these crafted paths enable files to be written outside the intended extraction directory, potentially overwriting or creating files in arbitrary locations on the server filesystem. This can lead to unauthorized modification of server files, compromising the integrity of the server environment. The vulnerability does not require any privileges or user interaction to exploit, and the attack vector is remote network-based, as esm.sh automatically downloads and extracts packages. The CVSS v3.1 base score is 8.2, reflecting high severity due to the ease of exploitation and the significant impact on integrity. The issue was publicly disclosed on November 19, 2025, and has been patched in esm.sh version 136. No known exploits have been reported in the wild yet, but the potential impact warrants immediate attention.

For European organizations relying on esm.sh CDN for NPM package delivery, this vulnerability poses a significant risk. Successful exploitation could allow attackers to write malicious files to arbitrary locations on the CDN servers, potentially leading to server compromise, unauthorized code execution, or persistent backdoors. This undermines the integrity of the software supply chain and could facilitate further attacks on downstream users relying on esm.sh. Given the automated nature of package retrieval and extraction, attackers can exploit this vulnerability remotely without authentication or user interaction. The impact extends to any European company using esm.sh in their development or deployment pipelines, especially those in critical infrastructure, finance, or technology sectors where software integrity is paramount. Additionally, compromised CDN servers could be used to serve malicious payloads to European end-users, amplifying the threat. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the urgency for mitigation.

European organizations should immediately verify if their development or deployment environments utilize esm.sh CDN services with versions prior to 136. The primary mitigation is to upgrade esm.sh to version 136 or later, where the path traversal vulnerability has been patched. For organizations that cannot immediately upgrade, implementing strict network segmentation and monitoring of outbound connections to esm.sh can reduce exposure. Additionally, validating and sandboxing package extraction processes can limit the impact of malicious tarballs. Employing file integrity monitoring on servers handling package extraction can help detect unauthorized file writes. Organizations should also audit their supply chain security policies to include checks for CDN vulnerabilities and consider alternative package delivery mechanisms if necessary. Continuous monitoring for unusual file system changes and network activity related to esm.sh interactions is recommended. Finally, educating developers and DevOps teams about the risks of untrusted package sources and enforcing strict version controls can prevent exploitation.