CVE-2025-50180

Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 137

Description esm.sh is susceptible to a full-response Server-Side Request Forgery (SSRF) issue. This allows an attacker to retrieve information from internal websites. The issue resides in the routing logic, specifically at the location https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511. An attacker can leverage this to access content from internal addresses with specific suffixes such as .js, .ts, .mjs, .mts, .jsx, .tsx, .cjs, .cts, .vue, .svelte, .md, and .css. A 302 redirect can be used to bypass the suffix restriction. Exploitation can lead to access of internal resources, and in cloud environments, potentially the retrieval of access keys (AK) and secret keys (SK) via the metadata service.

Recommendations Versions prior to 137 should be updated to version 137 or later. It is recommended to use safeurl.Client as a replacement for http.Client as described at https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13.