CVE-2025-50180 HIGH

CVE-2025-50180: esm.sh is vulnerable to full-response SSRF

Vendor Esm-Dev
Product esm.sh
Weakness CWE-918 · SSRF
Published February 25, 2026
Last update February 27, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 27, 2026 Record updated