What is the CVSS score of CVE-2025-65025?

CVE-2025-65025 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2025-65025?

Organizations using esm.sh face notable risk from CVE-2025-65025, a path traversal vulnerability rated CVSS 8.2.. A patch is available.

Is there a public PoC exploit available for CVE-2025-65025?

Yes, a public proof-of-concept exploit is available for CVE-2025-65025. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-65025?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Review file handling controls and restrict upload directories.

Node.js CVE-2025-65025

HIGH

Path Traversal (CWE-22)

2025-11-19 security-advisories@github.com

Node.js Path Traversal Esm Sh Suse

8.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:23 vuln.today

Patch released

Mar 28, 2026 - 19:23 nvd

Patch available

PoC Detected

Jan 15, 2026 - 17:52 vuln.today

Public exploit code

CVE Published

Nov 19, 2025 - 18:15 nvd

HIGH 8.2

DescriptionGitHub Advisory

esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136.

AnalysisAI

esm.sh is a nobuild content delivery network(CDN) for modern web development. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136. Affected products include: Esm Esm.Sh. Version information: version 136.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.