CVE-2025-59342

MEDIUM NUCLEI

esm.sh < 136.1 - Path Traversal and Arbitrary File Write via X-Zone-Id Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-59342. PoCs published by Byte Reaper, byteReaper77. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates a path traversal vulnerability in esm-dev version 136 by sending crafted requests to the `/transform` endpoint with various encoded payloads. It uses libcurl to perform HTTP requests and includes multiple payload variations to bypass potential filters.

Description

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.

Exploits (2)

exploitdb WORKING POC
by Byte Reaper · cwebappsmultiple
https://www.exploit-db.com/exploits/52461

The exploit demonstrates a path traversal vulnerability in esm-dev version 136 by sending crafted requests to the `/transform` endpoint with various encoded payloads. It uses libcurl to perform HTTP requests and includes multiple payload variations to bypass potential filters.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: esm-dev version 136
No auth needed
Prerequisites: Network access to the target endpoint · Target running esm-dev version 136
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by byteReaper77 · poc
https://github.com/byteReaper77/CVE-2025-59342

This repository contains a proof-of-concept exploit for CVE-2025-59342, a path traversal vulnerability in esm.sh (version 136 and earlier). The exploit leverages the `X-Zone-Id` HTTP header to perform directory traversal attacks, allowing arbitrary file writes outside the intended storage location.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: esm.sh version 136 and earlier
No auth needed
Prerequisites: Linux x86_64 environment · GCC compiler · libcurl
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

esm.sh <= v136 - Arbitrary File Write via Path Traversal
MEDIUMVERIFIEDby 0x_Akoko
Shodan: http.html:"esm.sh"

References (4)

Core 4

Scores

CVSS v4 5.5
EPSS 0.0645
EPSS Percentile 91.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-24
Status published
Products (2)
esm-dev/esm.sh 0 - 136.1Go
esm-dev/esm.sh <= 136
Published Sep 17, 2025
Tracked Since Feb 18, 2026