How is CVE-2026-44593 exploited?

Network reachability (required): The attacker must reach the esm.sh legacy router over the network; no prior foothold on the host is needed. Authentication (not-required): No credentials or account are required; the vulnerable legacy route accepts unauthenticated requests. Victim interaction (not-required): The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free: constructing a path-traversal payload requires no race conditions, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-44593?

Writes arbitrary files to any path the server process can reach on the host file system. Overwrites configuration files, startup scripts, or web-served assets, enabling remote code execution by placing attacker-controlled content where it will be executed or interpreted. Corrupts or replaces stored build artifacts and cached modules served to downstream consumers of the CDN.

Back to search

HIGHCVE-2026-44593Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-44593: esm.sh: Legacy Route Path Traversal Can Lead to RCE

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal vulnerability in esm.sh (versions 137 and earlier) allows an unauthenticated remote attacker to write arbitrary files to the server's file system through the legacy router. The router concatenates user-supplied path components without sanitizing relative segments such as "../", and the resulting storage key is passed directly to the underlying file system. Successful exploitation gives the attacker the ability to overwrite or create files at arbitrary paths on the server, which can be chained into remote code execution. HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-44593 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle esm.sh at version 137 or earlier.

Available

Triage

Affected images are scored at CVSS 8.7 (High, CVSS v4.0) and surfaced through each customer's compliance policy weighting, routing findings to the appropriate team inbox based on severity thresholds and owner mappings configured in the customer's HarborGuard environment.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the esm.sh advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once an upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the esm.sh legacy router over the network; no prior foothold on the host is needed.
AuthenticationNot required
No credentials or account are required; the vulnerable legacy route accepts unauthenticated requests.
Victim interactionNot required
The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free: constructing a path-traversal payload requires no race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

Writes arbitrary files to any path the server process can reach on the host file system.
Overwrites configuration files, startup scripts, or web-served assets, enabling remote code execution by placing attacker-controlled content where it will be executed or interpreted.
Corrupts or replaces stored build artifacts and cached modules served to downstream consumers of the CDN.

How HarborGuard Handles This

Available on HarborGuard: images containing esm.sh at version 137 or earlier are flagged immediately upon scan, with findings scored at CVSS 8.7 High and routed per each customer's compliance policy. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that event will automatically produce a rebuilt image, a regression test run, and a PR opened against affected workloads. In the interim, compensating controls available through HarborGuard's policy engine include flagging any image that exposes the esm.sh legacy route for network-policy isolation, restricting egress from containers running the affected service, and enforcing a block-on-deploy rule until a patched image is confirmed. Customers should also evaluate whether the legacy router endpoint can be disabled at the application or ingress layer as a short-term mitigation.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

esm-dev / esm.sh
<= 137

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465