CVE-2025-50180
Published: 25 February 2026
Summary
CVE-2025-50180 is a high-severity SSRF (CWE-918) vulnerability in Esm Esm.Sh. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-50180 is a full-response Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting esm.sh, a no-build content delivery network (CDN) used in web development. The issue exists in version 136 of esm.sh, where attackers can exploit it to retrieve information from internal websites. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely by crafting requests to esm.sh version 136, tricking the service into making requests to arbitrary internal endpoints and returning full responses. Successful exploitation allows retrieval of sensitive data from internal networks, such as metadata services or private APIs, without impacting integrity or availability.
Mitigation involves upgrading to esm.sh version 137, which addresses the vulnerability as detailed in the release notes and associated pull request #1149. The fix is implemented in the fetch handling code (internal/fetch/fetch.go) and router logic (server/router.go), with the specific commit 0593516c4cfab49ad3b4900416a8432ff2e23eb0 resolving the SSRF issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208114
Vulnerability details
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing esm.sh service directly enables T1190 for remote exploitation; explicit mention of metadata service access enables T1552.005 for credential retrieval.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SSRF by validating user-supplied URLs and requests in fetch handling to prevent access to internal endpoints.
Addresses the specific SSRF flaw in esm.sh version 136 by requiring timely remediation through patching to version 137.
Enforces information flow control policies to block unauthorized server-side requests from the CDN to internal networks.