CVE-2025-59342

Name of the Vulnerable Software and Affected Versions esm.sh versions 136 and earlier

Description A path-traversal flaw exists in the handling of the X-Zone-Id HTTP header. The header value is used to construct a filesystem path without proper sanitization or restriction to the application’s storage directory. Supplying ../ sequences in the X-Zone-Id header allows an attacker to write files to arbitrary directories. The vulnerable code is located in router.go at lines 116 and 411. This can lead to arbitrary file creation or overwriting outside the intended storage directory, potentially enabling remote code execution, persistence, or tampering with application files.

Recommendations Remove any .. sequences from the X-Zone-Id header before processing the file.