漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages
Vulnerability Description
esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.
CVSS Information
N/A
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
esm.sh 路径遍历漏洞
Vulnerability Description
esm.sh是esm.sh开源的一个内容分发网络。 esm.sh存在路径遍历漏洞,该漏洞源于路径清理不完整,可能导致路径遍历。
CVSS Information
N/A
Vulnerability Type
N/A