Platform
go
Component
github.com/esm-dev/esm.sh
Fixed in
136.0.1
0.0.0-20250616164159-0593516c4cfa
CVE-2025-50180 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in esm.sh, a JavaScript module resolver. This flaw allows attackers to potentially access sensitive information from internal networks by manipulating URLs used by the service. The vulnerability affects versions before 0.0.0-20250616164159-0593516c4cfa and has been resolved in a recent update.
The SSRF vulnerability in esm.sh allows an attacker to craft malicious URLs that, when processed by the service, trigger requests to internal resources. This can expose sensitive data residing on internal servers, such as configuration files, database backups, or even internal web applications. The attacker essentially leverages esm.sh as a proxy to bypass internal network security controls. A successful exploit could lead to data breaches, unauthorized access to internal systems, and potentially even further compromise if internal systems have vulnerabilities. The ability to retrieve arbitrary content makes this a significant risk, particularly in environments with strict network segmentation.
The vulnerability was publicly disclosed on 2026-02-25. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2025-50180 is to immediately upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URL suffixes (e.g., .js, .ts, .md). Additionally, review and restrict network access policies to limit the ability of esm.sh to make outbound requests to internal resources. Monitor esm.sh logs for unusual outbound requests that could indicate exploitation attempts. After upgrading, confirm the fix by attempting to access an internal resource via a crafted URL and verifying that the request is blocked or denied.
Update the version of esm.sh to version 137 or higher. This will resolve the SSRF (Server-Side Request Forgery) vulnerability that allows the retrieval of information from internal websites. You can update the package using the npm or yarn package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-50180 is a SSRF vulnerability in esm.sh, allowing attackers to retrieve internal website content through crafted URLs. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using a version of esm.sh prior to 0.0.0-20250616164159-0593516c4cfa. Assess your deployments and upgrade immediately.
Upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. Consider WAF rules as a temporary mitigation.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate action.
Refer to the esm.sh GitHub repository for updates and advisories related to this vulnerability: https://github.com/esm-dev/esm.sh
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.