CVE-2026-23644 is a path traversal vulnerability classified under CWE-22 affecting esm.sh, a content delivery network designed for web development that enables no-build workflows. The vulnerability stems from an incomplete fix related to pathname normalization. Specifically, the Go function path.Clean is used to sanitize file paths but does not prevent absolute paths embedded within malicious tar files from being processed. This allows an attacker to craft tar archives containing files with absolute paths, which when extracted or handled by esm.sh, can overwrite or access files outside the intended directory scope. This can lead to unauthorized file manipulation or disclosure on servers running vulnerable esm.sh versions prior to pseudoversion 0.0.0-20260116051925-c62ab83c589e. The issue was addressed in a commit that improved path validation to reject absolute paths in tar files, effectively closing the traversal vector. The CVSS 4.0 base score is 7.7 (high), reflecting its network attack vector, no required privileges or user interaction, and high impact on confidentiality. No known exploits have been reported in the wild yet, but the vulnerability presents a significant risk if exploited. Given esm.sh’s role in web development pipelines, exploitation could compromise build environments or deployment servers.

For European organizations, the impact of this vulnerability can be substantial, particularly for those heavily reliant on esm.sh for web development and deployment. Successful exploitation could allow attackers to overwrite critical files or inject malicious content into build environments, potentially leading to supply chain compromise, unauthorized code execution, or data leakage. This risk is heightened in continuous integration/continuous deployment (CI/CD) pipelines where automated processes consume esm.sh resources. The vulnerability could disrupt service availability or integrity of web applications, damaging business operations and reputation. Since esm.sh is a CDN used globally, European tech companies, software vendors, and digital service providers integrating esm.sh into their workflows are at risk. The lack of authentication or user interaction required for exploitation increases the threat surface. Although no active exploits are known, the potential for future attacks necessitates prompt remediation to avoid operational and security impacts.

European organizations should immediately upgrade esm.sh to version 0.0.0-20260116051925-c62ab83c589e or later, which contains the fix for this path traversal vulnerability. Additionally, organizations should audit their build and deployment pipelines to identify any usage of esm.sh and ensure that no vulnerable versions are in use. Implement strict input validation and sandboxing for any file extraction or handling processes involving tar archives to prevent unauthorized file system access. Employ runtime monitoring and file integrity checks on servers to detect anomalous file modifications. Where possible, restrict network access to esm.sh services and isolate build environments to limit the blast radius of potential exploitation. Regularly review and update dependency management policies to include security patches promptly. Finally, maintain awareness of any emerging exploits targeting this vulnerability and adjust defenses accordingly.