High severityNVD Advisory· Published Feb 25, 2026· Updated Feb 27, 2026
esm.sh is vulnerable to full-response SSRF
CVE-2025-50180
Description
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/esm-dev/esm.shGo | < 0.0.0-20250616164159-0593516c4cfa | 0.0.0-20250616164159-0593516c4cfa |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/esm-dev/esm.shpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20250616164159-0593516c4cfa+ 1 more
- (no CPE)range: < 0.0.0-20250616164159-0593516c4cfa
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-3c9r-837r-qqm4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-50180ghsaADVISORY
- github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.goghsax_refsource_MISCWEB
- github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.goghsax_refsource_MISCWEB
- github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0ghsax_refsource_MISCWEB
- github.com/esm-dev/esm.sh/pull/1149ghsax_refsource_MISCWEB
- github.com/esm-dev/esm.sh/releases/tag/v137ghsax_refsource_MISCWEB
- github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.