Poppo25

**Name of the Vulnerable Software and Affected Versions** esm.sh versions up to and including 137 **Description** esm.sh is a content delivery network (CDN) for web development. A server-side request forgery (SSRF) issue (CWE-918) exists in the `/http(s)` fetch route. The service attempts to prevent requests to localhost or internal targets, but the validation relies on hostname string checks, which can be circumvented using DNS alias domains. This allows an external party to make the esm.sh server fetch internal localhost services. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.