What is CVE-2025-59342?

CVE-2025-59342 is a vulnerability in Esm-dev Esm.sh, classified under CWE-24. Published 2025-09-17.

Is CVE-2025-59342 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Esm-dev Esm.sh

CVE-2025-59342

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the int…

EPSS: 0.064 (91.2th percentile) — read the EPSS interpretation.

Affected products

Esm-dev Esm.sh — versions <= 136

Weakness classification (CWE)

CWE-24

Public proof-of-concept exploits

References

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw (x_refsource_CONFIRM)
https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151 (x_refsource_MISC)
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 (x_refsource_MISC)
https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-59342?: CVE-2025-59342 is a vulnerability in Esm-dev Esm.sh, classified under CWE-24. Published 2025-09-17.
Is CVE-2025-59342 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.