Vulnerability Details CVE-2025-50180
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.6%
CVSS Severity
CVSS v3 Score 7.5
References
- https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13
- https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
- https://github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0
- https://github.com/esm-dev/esm.sh/pull/1149
- https://github.com/esm-dev/esm.sh/releases/tag/v137
- https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4
Products affected by CVE-2025-50180
-
cpe:2.3:a:esm:esm.sh:100
-
cpe:2.3:a:esm:esm.sh:101
-
cpe:2.3:a:esm:esm.sh:102
-
cpe:2.3:a:esm:esm.sh:103
-
cpe:2.3:a:esm:esm.sh:104
-
cpe:2.3:a:esm:esm.sh:105
-
cpe:2.3:a:esm:esm.sh:106
-
cpe:2.3:a:esm:esm.sh:107
-
cpe:2.3:a:esm:esm.sh:108
-
cpe:2.3:a:esm:esm.sh:109
-
cpe:2.3:a:esm:esm.sh:110
-
cpe:2.3:a:esm:esm.sh:111
-
cpe:2.3:a:esm:esm.sh:112
-
cpe:2.3:a:esm:esm.sh:113
-
cpe:2.3:a:esm:esm.sh:114
-
cpe:2.3:a:esm:esm.sh:115
-
cpe:2.3:a:esm:esm.sh:116
-
cpe:2.3:a:esm:esm.sh:117
-
cpe:2.3:a:esm:esm.sh:118
-
cpe:2.3:a:esm:esm.sh:119
-
cpe:2.3:a:esm:esm.sh:120
-
cpe:2.3:a:esm:esm.sh:121
-
cpe:2.3:a:esm:esm.sh:122
-
cpe:2.3:a:esm:esm.sh:123
-
cpe:2.3:a:esm:esm.sh:124
-
cpe:2.3:a:esm:esm.sh:125
-
cpe:2.3:a:esm:esm.sh:126
-
cpe:2.3:a:esm:esm.sh:127
-
cpe:2.3:a:esm:esm.sh:128
-
cpe:2.3:a:esm:esm.sh:129
-
cpe:2.3:a:esm:esm.sh:130
-
cpe:2.3:a:esm:esm.sh:131
-
cpe:2.3:a:esm:esm.sh:132
-
cpe:2.3:a:esm:esm.sh:133
-
cpe:2.3:a:esm:esm.sh:134
-
cpe:2.3:a:esm:esm.sh:135
-
cpe:2.3:a:esm:esm.sh:135_1
-
cpe:2.3:a:esm:esm.sh:135_2
-
cpe:2.3:a:esm:esm.sh:135_3
-
cpe:2.3:a:esm:esm.sh:135_4
-
cpe:2.3:a:esm:esm.sh:135_5
-
cpe:2.3:a:esm:esm.sh:135_6
-
cpe:2.3:a:esm:esm.sh:135_7
-
cpe:2.3:a:esm:esm.sh:136
-
cpe:2.3:a:esm:esm.sh:136_1
-
cpe:2.3:a:esm:esm.sh:34
-
cpe:2.3:a:esm:esm.sh:35
-
cpe:2.3:a:esm:esm.sh:37
-
cpe:2.3:a:esm:esm.sh:38
-
cpe:2.3:a:esm:esm.sh:39
-
cpe:2.3:a:esm:esm.sh:40
-
cpe:2.3:a:esm:esm.sh:41
-
cpe:2.3:a:esm:esm.sh:43
-
cpe:2.3:a:esm:esm.sh:44
-
cpe:2.3:a:esm:esm.sh:45
-
cpe:2.3:a:esm:esm.sh:46
-
cpe:2.3:a:esm:esm.sh:47
-
cpe:2.3:a:esm:esm.sh:48
-
cpe:2.3:a:esm:esm.sh:49
-
cpe:2.3:a:esm:esm.sh:50
-
cpe:2.3:a:esm:esm.sh:51
-
cpe:2.3:a:esm:esm.sh:52
-
cpe:2.3:a:esm:esm.sh:53
-
cpe:2.3:a:esm:esm.sh:55
-
cpe:2.3:a:esm:esm.sh:56
-
cpe:2.3:a:esm:esm.sh:57
-
cpe:2.3:a:esm:esm.sh:59
-
cpe:2.3:a:esm:esm.sh:60
-
cpe:2.3:a:esm:esm.sh:61
-
cpe:2.3:a:esm:esm.sh:62
-
cpe:2.3:a:esm:esm.sh:63
-
cpe:2.3:a:esm:esm.sh:64
-
cpe:2.3:a:esm:esm.sh:65
-
cpe:2.3:a:esm:esm.sh:66
-
cpe:2.3:a:esm:esm.sh:67
-
cpe:2.3:a:esm:esm.sh:68
-
cpe:2.3:a:esm:esm.sh:69
-
cpe:2.3:a:esm:esm.sh:70
-
cpe:2.3:a:esm:esm.sh:71
-
cpe:2.3:a:esm:esm.sh:72
-
cpe:2.3:a:esm:esm.sh:73
-
cpe:2.3:a:esm:esm.sh:74
-
cpe:2.3:a:esm:esm.sh:75
-
cpe:2.3:a:esm:esm.sh:76
-
cpe:2.3:a:esm:esm.sh:77
-
cpe:2.3:a:esm:esm.sh:78
-
cpe:2.3:a:esm:esm.sh:79
-
cpe:2.3:a:esm:esm.sh:80
-
cpe:2.3:a:esm:esm.sh:81
-
cpe:2.3:a:esm:esm.sh:82
-
cpe:2.3:a:esm:esm.sh:83
-
cpe:2.3:a:esm:esm.sh:84
-
cpe:2.3:a:esm:esm.sh:85
-
cpe:2.3:a:esm:esm.sh:86
-
cpe:2.3:a:esm:esm.sh:87
-
cpe:2.3:a:esm:esm.sh:88
-
cpe:2.3:a:esm:esm.sh:89
-
cpe:2.3:a:esm:esm.sh:90
-
cpe:2.3:a:esm:esm.sh:91
-
cpe:2.3:a:esm:esm.sh:92
-
cpe:2.3:a:esm:esm.sh:93
-
cpe:2.3:a:esm:esm.sh:94
-
cpe:2.3:a:esm:esm.sh:95
-
cpe:2.3:a:esm:esm.sh:96
-
cpe:2.3:a:esm:esm.sh:97
-
cpe:2.3:a:esm:esm.sh:98
-
cpe:2.3:a:esm:esm.sh:99