Platform
go
Component
github.com/esm-dev/esm.sh
Opgelost in
137.0.1
0.0.0-20250616164159-0593516c4cfa
CVE-2026-27730 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in esm.sh, a JavaScript module loader. This flaw allows attackers to bypass localhost and private network restrictions within the /http(s) module route, potentially leading to unauthorized access to internal services and data. The vulnerability impacts versions of esm.sh prior to 0.0.0-20250616164159-0593516c4cfa, and a fix has been released.
The SSRF vulnerability in esm.sh presents a significant risk because it enables attackers to craft malicious requests that originate from the server itself. By exploiting the /http(s) module route, an attacker can bypass intended security boundaries and access resources that should be inaccessible from external networks. This could include internal APIs, databases, or other sensitive services residing on the same network as the esm.sh server. Successful exploitation could lead to data exfiltration, privilege escalation, or even remote code execution if the accessed internal services are vulnerable. The ability to bypass localhost restrictions is particularly concerning, as it allows attackers to interact with services running on the same machine as esm.sh.
CVE-2026-27730 was publicly disclosed on 2026-02-27. While no public proof-of-concept (PoC) code has been released as of this writing, the SSRF nature of the vulnerability makes it likely that PoCs will emerge. The EPSS score is currently pending evaluation, but the SSRF vulnerability type generally carries a medium to high probability of exploitation given the ease of exploitation once a PoC is available. It is not currently listed on the CISA KEV catalog.
Organizations that rely on esm.sh for JavaScript module loading, particularly those deploying esm.sh within internal networks or behind firewalls, are at risk. Shared hosting environments where multiple users share the same esm.sh instance are also particularly vulnerable, as a compromised user could potentially exploit the SSRF vulnerability to access resources belonging to other users.
• linux / server: Monitor access logs for outbound requests to internal IP addresses or services via the /http(s) endpoint. Use journalctl -u esm.sh to check for unusual activity.
grep -i 'internal_ip_address' /var/log/esm.sh/access.log• generic web: Use curl to test the /http(s) endpoint with internal URLs.
curl http://localhost:8080/http://127.0.0.1:8081/ # Example internal URL• go: Examine the esm.sh source code for the /http(s) module route to identify potential vulnerabilities and ensure proper input validation is implemented.
disclosure
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-27730 is to immediately upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting outbound network access from the esm.sh server to only trusted destinations, or implementing strict input validation on the /http(s) module route to prevent malicious URLs. Additionally, monitor access logs for unusual outbound requests originating from the esm.sh server. After upgrading, verify the fix by attempting to access internal resources via the /http(s) route and confirming that access is denied.
Er is momenteel geen gepatchte versie beschikbaar bij publicatie. Het wordt aanbevolen om het gebruik van esm.sh te vermijden totdat een gecorrigeerde versie is uitgebracht. Houd de esm.sh repository in de gaten voor updates en pas de patch zo spoedig mogelijk toe zodra deze beschikbaar is.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-27730 is a Server-Side Request Forgery vulnerability in esm.sh that allows attackers to bypass localhost/private-network restrictions, potentially accessing internal resources.
You are affected if you are using a version of esm.sh prior to 0.0.0-20250616164159-0593516c4cfa.
Upgrade to version 0.0.0-20250616164159-0593516c4cfa or later. Consider temporary workarounds if immediate upgrade is not possible.
No active exploitation has been confirmed, but the SSRF nature of the vulnerability suggests potential for exploitation.
Refer to the esm.sh project's official communication channels and security advisories for the most up-to-date information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.