CVE-2025-50180
Received Received - Intake
Full-Response SSRF in esm.sh CDN Allows Internal Data Access

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-50180
EUVD
EUVD-2025-208114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
esm esm.sh to 137 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-50180 is a Server-Side Request Forgery (SSRF) vulnerability in esm.sh, a no-build content delivery network (CDN) for web development. In version 136, esm.sh improperly validates URLs and handles HTTP redirects, allowing an attacker to trick the server into making unauthorized requests to internal websites or services.

Specifically, esm.sh allows fetching URLs that start with HTTP or HTTPS prefixes but restricts fetching internal addresses by only allowing URLs ending with certain suffixes. However, this restriction can be bypassed using HTTP 302 redirects, enabling attackers to redirect requests to internal IP addresses such as cloud metadata services.

An attacker can host a malicious server that responds with a redirect to an internal resource, causing esm.sh to fetch and return sensitive internal data. This vulnerability was fixed in version 137 by implementing strict host allowlisting and improved redirect handling to prevent SSRF.

Impact Analysis

This SSRF vulnerability can allow attackers to access internal sites and services that are normally not accessible externally. In cloud environments, this can lead to disclosure of sensitive information such as access keys and secret keys from metadata services.

By exploiting this vulnerability, attackers could potentially compromise the entire cloud infrastructure or internal network by retrieving confidential data or performing unauthorized actions through the esm.sh service.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability in esm.sh allows an attacker to exploit Server-Side Request Forgery (SSRF) by causing esm.sh to fetch internal URLs via HTTP redirects. Detection involves monitoring for unusual outbound HTTP requests or redirects to internal IP addresses or unexpected hosts.'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by inspecting network traffic for requests to esm.sh that include URLs with HTTP or HTTPS prefixes, especially those that result in redirects to internal IP addresses such as 169.254.169.254 (cloud metadata service).'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': "Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to esm.sh and look for URLs containing 'http://' or 'https://' prefixes."}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP traffic to esm.sh: tcpdump -i any -s 0 -w esmsh_traffic.pcap 'host esm.sh and tcp port 80 or 443'"}, {'type': 'list_item', 'content': "Analyze web server logs or proxy logs for requests to esm.sh containing suspicious URL patterns such as '/http://' or '/https://'."}, {'type': 'list_item', 'content': "Use grep on logs: grep -E '/https?://' /path/to/logfile"}, {'type': 'paragraph', 'content': 'Because the vulnerability involves following HTTP 302 redirects to internal addresses, monitoring for unexpected redirects or errors related to disallowed hosts in esm.sh logs or application logs can also help detect exploitation.'}] [4]

Mitigation Strategies

To mitigate the SSRF vulnerability in esm.sh version 136, immediate steps include upgrading esm.sh to version 137 or later, where the vulnerability has been fixed.

The fix involves implementing strict host allowlisting in HTTP client requests to prevent esm.sh from following redirects or making requests to unauthorized internal hosts.

If upgrading immediately is not possible, a recommended mitigation is to replace the default HTTP client in esm.sh with a safer client such as safeurl.Client, which enforces stricter URL validation and prevents SSRF attacks.

Additional mitigation steps include:

  • Configure esm.sh to use a host whitelist for outgoing HTTP requests, blocking requests to internal IP addresses or unexpected hosts.
  • Monitor and block HTTP redirects to disallowed hosts by customizing redirect handling logic.
  • Review and restrict network access to internal services such as cloud metadata endpoints to minimize exposure.

Overall, upgrading to esm.sh v137, which includes the SSRF fix, is the most effective and immediate mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-50180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart