CVE-2025-50180
HIGH WAF: Medium
CVSS 7.5
Published: 2026-02-25
CWE-918
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| esm | esm.sh | up to 137 |
References
- github.com (Patch)
- github.com (Patch)
- github.com (Patch)
- github.com (Issue Tracking, Patch)
- github.com (Product, Release Notes)
- github.com (Exploit, Mitigation, Patch, Vendor Advisory)