Platform
go
Component
github.com/esm-dev/esm.sh
Fixed in
137.0.1
0.0.0-20250616164159-0593516c4cfa
CVE-2026-27730 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in esm.sh, a JavaScript module loader. This flaw allows attackers to bypass localhost and private network restrictions within the /http(s) module route, potentially leading to unauthorized access to internal services and data. The vulnerability impacts versions of esm.sh prior to 0.0.0-20250616164159-0593516c4cfa, and a fix has been released.
The SSRF vulnerability in esm.sh presents a significant risk because it enables attackers to craft malicious requests that originate from the server itself. By exploiting the /http(s) module route, an attacker can bypass intended security boundaries and access resources that should be inaccessible from external networks. This could include internal APIs, databases, or other sensitive services residing on the same network as the esm.sh server. Successful exploitation could lead to data exfiltration, privilege escalation, or even remote code execution if the accessed internal services are vulnerable. The ability to bypass localhost restrictions is particularly concerning, as it allows attackers to interact with services running on the same machine as esm.sh.
CVE-2026-27730 was publicly disclosed on 2026-02-27. While no public proof-of-concept (PoC) code has been released as of this writing, the SSRF nature of the vulnerability makes it likely that PoCs will emerge. The EPSS score is currently pending evaluation, but the SSRF vulnerability type generally carries a medium to high probability of exploitation given the ease of exploitation once a PoC is available. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27730 is to immediately upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting outbound network access from the esm.sh server to only trusted destinations, or implementing strict input validation on the /http(s) module route to prevent malicious URLs. Additionally, monitor access logs for unusual outbound requests originating from the esm.sh server. After upgrading, verify the fix by attempting to access internal resources via the /http(s) route and confirming that access is denied.
No patched version is available at the time of publication. It is recommended to avoid using esm.sh until a fixed version is released. Monitor the esm.sh repository for updates and apply the patch as soon as it is available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27730 is a Server-Side Request Forgery vulnerability in esm.sh that allows attackers to bypass localhost/private-network restrictions, potentially accessing internal resources.
You are affected if you are using a version of esm.sh prior to 0.0.0-20250616164159-0593516c4cfa.
Upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. Consider temporary workarounds if immediate upgrade is not possible.
No active exploitation has been confirmed, but the SSRF nature of the vulnerability suggests potential for exploitation.
Refer to the esm.sh project's official communication channels and security advisories for the most up-to-date information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.