Zip Slip's Evil Twin: Deconstructing CVE-2026-23644 in esm.sh
Jan 21, 2026·6 min read·4 visits
Executive Summary (TL;DR)
The 'esm.sh' CDN service failed to properly sanitize filenames within NPM tarballs. By crafting a package with filenames containing '../', an attacker can escape the intended extraction directory and overwrite files on the server. The initial fix attempt failed because 'path.Clean' does not neutralize leading relative paths.
A critical Path Traversal vulnerability in the esm.sh CDN allows attackers to write arbitrary files to the server by supplying malicious NPM tarballs. The flaw highlights a classic confusion between Go's 'path' and 'filepath' packages.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:PAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
esm.sh esm-dev | < 0.0.0-20260116051925-c62ab83c589e | 0.0.0-20260116051925-c62ab83c589e |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 (Path Traversal) |
| CVSS v4.0 | 7.7 (High) |
| Attack Vector | Network |
| Impact | Arbitrary File Write |
| EPSS Score | 0.00047 (Low) |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.