CVE-2025-50180: esm.sh is vulnerable to full-response SSRF
(updated )
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
References
- github.com/advisories/GHSA-3c9r-837r-qqm4
- github.com/esm-dev/esm.sh
- github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go
- github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go
- github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0
- github.com/esm-dev/esm.sh/pull/1149
- github.com/esm-dev/esm.sh/releases/tag/v137
- github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4
- nvd.nist.gov/vuln/detail/CVE-2025-50180
Code Behaviors & Features
Detect and mitigate CVE-2025-50180 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →