CVE-2026-27730: esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
(updated )
An SSRF vulnerability (CWE-918) exists in esm.sh’s /http(s) fetch route.
The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains (for example, 127.0.0.1.nip.io resolving to 127.0.0.1).
This allows an external requester to make the esm.sh server fetch internal localhost services.
Severity: High (depending on deployment network exposure).
References
- github.com/advisories/GHSA-p2v6-84h2-5x4r
- github.com/esm-dev/esm.sh
- github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0
- github.com/esm-dev/esm.sh/pull/1149
- github.com/esm-dev/esm.sh/releases/tag/v137
- github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r
- nvd.nist.gov/vuln/detail/CVE-2026-27730
Code Behaviors & Features
Detect and mitigate CVE-2026-27730 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →