Cyber Resilience

CVE-2025-50180

HighPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-50180 is a high-severity SSRF (CWE-918) vulnerability in Esm Esm.Sh. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-50180 is a full-response Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting esm.sh, a no-build content delivery network (CDN) used in web development. The issue exists in version 136 of esm.sh, where attackers can exploit it to retrieve information from internal websites. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Unauthenticated attackers can exploit this vulnerability remotely by crafting requests to esm.sh version 136, tricking the service into making requests to arbitrary internal endpoints and returning full responses. Successful exploitation allows retrieval of sensitive data from internal networks, such as metadata services or private APIs, without impacting integrity or availability.

Mitigation involves upgrading to esm.sh version 137, which addresses the vulnerability as detailed in the release notes and associated pull request #1149. The fix is implemented in the fetch handling code (internal/fetch/fetch.go) and router logic (server/router.go), with the specific commit 0593516c4cfab49ad3b4900416a8432ff2e23eb0 resolving the SSRF issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing esm.sh service directly enables T1190 for remote exploitation; explicit mention of metadata service access enables T1552.005 for credential retrieval.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27730Same product: Esm Esm.Sh
CVE-2026-23644Same product: Esm Esm.Sh
CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2025-54122Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2026-28423Shared CWE-918
CVE-2026-42595Shared CWE-918
CVE-2025-8085Shared CWE-918

Affected Assets

esm
esm.sh
≤ 137

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF by validating user-supplied URLs and requests in fetch handling to prevent access to internal endpoints.

prevent

Addresses the specific SSRF flaw in esm.sh version 136 by requiring timely remediation through patching to version 137.

prevent

Enforces information flow control policies to block unauthorized server-side requests from the CDN to internal networks.

References