esm.sh CDN Can Fetch Sensitive Local Services

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

esm.sh CDN Can Fetch Sensitive Local Services

CVE-2026-27730 GHSA-p2v6-84h2-5x4r CVE-2026-27730

Summary

esm.sh's CDN service can be tricked into fetching internal services on your network, potentially exposing sensitive data. This is a security risk if you use esm.sh to deliver sensitive content. To protect yourself, consider disabling the /http(s) module or using a different CDN until a patch is available.

What to do

Update github.com esm-dev to version 0.0.0-20250616164159-0593516c4cfa.
Update esm-dev github.com/esm-dev/esm.sh to version 0.0.0-20250616164159-0593516c4cfa.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	esm-dev	<= 0.0.0-20250616164159-0593516c4cfa	0.0.0-20250616164159-0593516c4cfa
esm	esm.sh	<= 137	–
esm-dev	github.com/esm-dev/esm.sh	<= 0.0.0-20250616164159-0593516c4cfa	0.0.0-20250616164159-0593516c4cfa

Original title

esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

Original description

esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.

nvd CVSS3.1 7.5

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026