CVE-2026-44593: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in esm-dev esm.sh
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.
AI Analysis
Technical Summary
esm.sh is a no-build CDN for web development. In versions 137 and earlier, its legacy router retrieves responses from legacyServer and writes data to storage via buildStorage.Put. The router concatenates path components from incoming requests without sanitizing them, producing a storage key that the file system resolves including relative path segments. This lack of sanitization allows an attacker to perform path traversal, writing files to arbitrary server locations.
Potential Impact
An attacker can write files to arbitrary locations on the server hosting esm.sh, potentially leading to unauthorized file modification or system compromise. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 8.7, indicating high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the affected esm.sh versions or implementing external controls to prevent exploitation of path traversal. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2026-44593: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in esm-dev esm.sh
Description
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.
CVSS v4.0
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
esm.sh is a no-build CDN for web development. In versions 137 and earlier, its legacy router retrieves responses from legacyServer and writes data to storage via buildStorage.Put. The router concatenates path components from incoming requests without sanitizing them, producing a storage key that the file system resolves including relative path segments. This lack of sanitization allows an attacker to perform path traversal, writing files to arbitrary server locations.
Potential Impact
An attacker can write files to arbitrary locations on the server hosting esm.sh, potentially leading to unauthorized file modification or system compromise. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 8.7, indicating high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the affected esm.sh versions or implementing external controls to prevent exploitation of path traversal. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T21:49:12.425Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a186052e29bf47b500b4216
Added to database: 5/28/2026, 3:33:38 PM
Last enriched: 5/28/2026, 3:48:55 PM
Last updated: 5/29/2026, 1:57:12 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.