Home > Vulnerability Database > CVE-2025-65025

Mend.io Vulnerability Database

CVE-2025-65025

Good to know:

Date: November 19, 2025

esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.

Severity Score

8.2

Related Resources (5)

Url: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw

Url: https://github.com/esm-dev/esm.sh

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-65025

Url: https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16

Url: https://www.mend.io/vulnerability-database/CVE-2025-65025

Severity Score

8.2

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version github.com/esm-dev/esm.sh - v0.0.0-20251117232647-9d77b88c3207

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-65025

Good to know:

Date: November 19, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?