Plataforma
go
Componente
github.com/esm-dev/esm.sh
Corregido en
136.0.1
0.0.0-20250616164159-0593516c4cfa
CVE-2025-50180 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in esm.sh, a JavaScript module resolver. This flaw allows attackers to potentially access sensitive information from internal networks by manipulating URLs used by the service. The vulnerability affects versions before 0.0.0-20250616164159-0593516c4cfa and has been resolved in a recent update.
The SSRF vulnerability in esm.sh allows an attacker to craft malicious URLs that, when processed by the service, trigger requests to internal resources. This can expose sensitive data residing on internal servers, such as configuration files, database backups, or even internal web applications. The attacker essentially leverages esm.sh as a proxy to bypass internal network security controls. A successful exploit could lead to data breaches, unauthorized access to internal systems, and potentially even further compromise if internal systems have vulnerabilities. The ability to retrieve arbitrary content makes this a significant risk, particularly in environments with strict network segmentation.
The vulnerability was publicly disclosed on 2026-02-25. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Organizations heavily reliant on esm.sh for JavaScript module resolution, particularly those with sensitive internal resources accessible via HTTP, are at risk. Environments with less stringent network segmentation policies are also more vulnerable, as an attacker could potentially leverage the SSRF to reach deeper into the internal network.
• linux / server:
journalctl -u esm-sh -g 'SSRF' | grep -i 'local.site'• generic web:
curl -I https://esm.sh/https://local.site/test.md | grep -i 'local.site'disclosure
Estado del Exploit
EPSS
0.04% (13% percentil)
CISA SSVC
The primary mitigation for CVE-2025-50180 is to immediately upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URL suffixes (e.g., .js, .ts, .md). Additionally, review and restrict network access policies to limit the ability of esm.sh to make outbound requests to internal resources. Monitor esm.sh logs for unusual outbound requests that could indicate exploitation attempts. After upgrading, confirm the fix by attempting to access an internal resource via a crafted URL and verifying that the request is blocked or denied.
Actualice la versión de esm.sh a la versión 137 o superior. Esto solucionará la vulnerabilidad SSRF que permite la recuperación de información de sitios web internos. Puede actualizar el paquete utilizando el gestor de paquetes npm o yarn.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-50180 is a SSRF vulnerability in esm.sh, allowing attackers to retrieve internal website content through crafted URLs. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using a version of esm.sh prior to 0.0.0-20250616164159-0593516c4cfa. Assess your deployments and upgrade immediately.
Upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. Consider WAF rules as a temporary mitigation.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate action.
Refer to the esm.sh GitHub repository for updates and advisories related to this vulnerability: https://github.com/esm-dev/esm.sh
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.