CVE-2025-50180
Full-Response SSRF in esm.sh CDN Allows Internal Data Access
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esm | esm.sh | to 137 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50180 is a Server-Side Request Forgery (SSRF) vulnerability in esm.sh, a no-build content delivery network (CDN) for web development. In version 136, esm.sh improperly validates URLs and handles HTTP redirects, allowing an attacker to trick the server into making unauthorized requests to internal websites or services.
Specifically, esm.sh allows fetching URLs that start with HTTP or HTTPS prefixes but restricts fetching internal addresses by only allowing URLs ending with certain suffixes. However, this restriction can be bypassed using HTTP 302 redirects, enabling attackers to redirect requests to internal IP addresses such as cloud metadata services.
An attacker can host a malicious server that responds with a redirect to an internal resource, causing esm.sh to fetch and return sensitive internal data. This vulnerability was fixed in version 137 by implementing strict host allowlisting and improved redirect handling to prevent SSRF.
How can this vulnerability impact me? :
This SSRF vulnerability can allow attackers to access internal sites and services that are normally not accessible externally. In cloud environments, this can lead to disclosure of sensitive information such as access keys and secret keys from metadata services.
By exploiting this vulnerability, attackers could potentially compromise the entire cloud infrastructure or internal network by retrieving confidential data or performing unauthorized actions through the esm.sh service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability in esm.sh allows an attacker to exploit Server-Side Request Forgery (SSRF) by causing esm.sh to fetch internal URLs via HTTP redirects. Detection involves monitoring for unusual outbound HTTP requests or redirects to internal IP addresses or unexpected hosts.'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by inspecting network traffic for requests to esm.sh that include URLs with HTTP or HTTPS prefixes, especially those that result in redirects to internal IP addresses such as 169.254.169.254 (cloud metadata service).'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to esm.sh and look for URLs containing 'http://' or 'https://' prefixes."}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP traffic to esm.sh: tcpdump -i any -s 0 -w esmsh_traffic.pcap 'host esm.sh and tcp port 80 or 443'"}, {'type': 'list_item', 'content': "Analyze web server logs or proxy logs for requests to esm.sh containing suspicious URL patterns such as '/http://' or '/https://'."}, {'type': 'list_item', 'content': "Use grep on logs: grep -E '/https?://' /path/to/logfile"}, {'type': 'paragraph', 'content': 'Because the vulnerability involves following HTTP 302 redirects to internal addresses, monitoring for unexpected redirects or errors related to disallowed hosts in esm.sh logs or application logs can also help detect exploitation.'}] [4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SSRF vulnerability in esm.sh version 136, immediate steps include upgrading esm.sh to version 137 or later, where the vulnerability has been fixed.
The fix involves implementing strict host allowlisting in HTTP client requests to prevent esm.sh from following redirects or making requests to unauthorized internal hosts.
If upgrading immediately is not possible, a recommended mitigation is to replace the default HTTP client in esm.sh with a safer client such as safeurl.Client, which enforces stricter URL validation and prevents SSRF attacks.
Additional mitigation steps include:
- Configure esm.sh to use a host whitelist for outgoing HTTP requests, blocking requests to internal IP addresses or unexpected hosts.
- Monitor and block HTTP redirects to disallowed hosts by customizing redirect handling logic.
- Review and restrict network access to internal services such as cloud metadata endpoints to minimize exposure.
Overall, upgrading to esm.sh v137, which includes the SSRF fix, is the most effective and immediate mitigation.