CVE-2025-59342: Critical Arbitrary File Write Vulnerability in esm.sh (v136 and earlier)

A critical path traversal vulnerability in the popular JavaScript CDN and ESM transpiler, esm.sh, has been publicly documented, allowing attackers to write arbitrary files to the server. The flaw, tracked as CVE-2025-59342, affects versions v136 and earlier. This is not a theoretical risk; the vulnerability template has been validated against a known vulnerable host, confirming it as a true positive and exploitable in real-world deployments.

The core of the issue lies in insufficient input sanitization, enabling path traversal attacks. This could allow a malicious actor to break out of intended directories and write files to unauthorized locations on the esm.sh server filesystem. The esm.sh service is a critical piece of infrastructure for the modern JavaScript ecosystem, used by developers worldwide to serve and transform ECMAScript modules on the fly. A successful exploit could lead to server compromise, data corruption, or service disruption.

The public release of a validated Nuclei template for this CVE significantly lowers the barrier for exploitation, automating attack detection and potentially weaponizing the flaw. Organizations and developers relying on esm.sh, particularly self-hosted instances or those using vulnerable versions, are now under immediate pressure to verify their deployment status and apply patches. The availability of a working proof-of-concept in a major security scanner framework transforms this from a disclosed bug into an active operational threat.