CVE-2026-23644: esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages
The commit does not actually fix the path traversal bug. path.Clean basically normalizes a path but does not prevent absolute paths in a malicious tar file.
References
- github.com/advisories/GHSA-2657-3c98-63jq
- github.com/esm-dev/esm.sh
- github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16
- github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093
- github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq
- nvd.nist.gov/vuln/detail/CVE-2026-23644
- pkg.go.dev/vuln/GO-2025-4138
Code Behaviors & Features
Detect and mitigate CVE-2026-23644 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →