CVE-2025-65025

Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 136

Description The esm.sh CDN service is susceptible to a path traversal issue during the extraction of NPM package tarballs. An attacker can create a malicious NPM package with crafted file paths, such as package/../../tmp/evil.js. When esm.sh downloads and extracts this package, files can be written to locations outside the intended extraction directory, potentially allowing for arbitrary file writes on the server.

Recommendations Update to version 136 or later.